Massassi Forums Logo

This is the static archive of the Massassi Forums. The forums are closed indefinitely. Thanks for all the memories!

You can also download Super Old Archived Message Boards from when Massassi first started.

"View" counts are as of the day the forums were archived, and will no longer increase.

ForumsDiscussion Forum → It's official...I'm an idiot.
It's official...I'm an idiot.
2004-06-09, 7:15 PM #1
So I'm just minding my own business and I get one of those install program windows to download this "free plugin" and being the idiot that I am, I accidentally click yes instead of no and before I know it, my homepage is changed and I have a new toolbar in IE, thankfully I use firefox, but I'm the only one in my family who does, so I have to fix this. Running ad-aware and spybot as I type this.

I just felt like saying that, and to make something that might get a respons, anyone ever done something similar?

[EDIT]It's hard to spell at 12:13 AM..[/EDIT]

------------------
*Takes out his blaster and fires shots at the wall, the blastmarks leave the words "S-TROOPER WUZ 'ERE!!!"

[This message has been edited by Stormtrooper (edited June 09, 2004).]
2004-06-09, 7:25 PM #2
No, but my roommate has got to have OCD when it comes to clicking yes on unknown popups.

------------------
</sarcasm>
</sarcasm>
<Anovis> mmmm I wanna lick your wet, Mentis.
__________
2004-06-09, 7:59 PM #3
Do those pop ups include "GET FREE PORN NOW!"? I had a roommate who did the same thing. Dedicated half of his 80 gig hardrive to it:P

------------------
Prowling out of the tundra, swinging a jeweled meat hammer, cometh Outlaw Torn! And he gives a gutteral bellow:

"I'm seriously going to hump you until you scream like a banshee!"
obviously you've never been able to harness the power of cleavage...

maeve
2004-06-09, 8:03 PM #4
No, the pop-ups didn't have anything to do with porn, but I could use some help on this, now when IE can't find the site, It displays the cannot find server or DNS error page, then forwards to something called "Search The Web - Incorrect Error Page" and it has a bunch of categories like the Yahoo search and a 'Search the Web' search engine thing on it.

Neither Spybot or Ad-aware pick up on it. Any ideas?

[EDIT]The browser hijack was taken care of with ad-aware and spybot, but now I noticed something appeared in my program files folder, a folder called 'style dead dog' and has 1 .exe in it called 'Play Name' and it's in the running process when I log on. When I try to see it's properties by right-clicking, explorer.exe crashes and has to reload before the right-click menu comes up. Ad-aware, Spybot, and Norton all say it's clean (Yes, they're all updated).[/EDIT]

------------------
*Takes out his blaster and fires shots at the wall, the blastmarks leave the words "S-TROOPER WUZ 'ERE!!!"


[This message has been edited by Stormtrooper (edited June 09, 2004).]
2004-06-09, 8:03 PM #5
[EDIT]Double Post[/EDIT]

[This message has been edited by Stormtrooper (edited June 09, 2004).]
2004-06-10, 4:06 AM #6
I reported this a few months ago, but does Stormy listen, noooooo.... [http://forums.massassi.net/html/tongue.gif]

[http://shauri.hopto.org/cooker/plugin.png]

http://forums.mozillazine.org/viewtopic.php?t=66531
http://bugzilla.mozilla.org/show_bug.cgi?id=238684
http://www.kephyr.com/spywarescanner/library/flingstonebridge/index.phtml


0.9 is suppose to have a fix for this.

------------------
Dear lady, can you hear the wind blow, and did you know
Your stairway lies on the whispering wind.
:wq
And when the moment is right, I'm gonna fly a kite.
2004-06-10, 4:09 AM #7
Leave it too the internet nerds to find a way to hack Firefox. [http://forums.massassi.net/html/rolleyes.gif]

------------------
<Outlaw_Torn> you mean your related to that damned sasquatch, Mech?
<MechWarrior> Lets just say the part of the family tree that does fork has bossy the goat in it.

<ubuu> does hitler have a last name?
2004-06-10, 4:14 AM #8
Err, no, they arent hacking Firefox, its an IE hijack. The problem is that, currently, there are no /real/ safeguards against malicious XPIs in Firefox... 0.9 should fix that.

------------------
Dear lady, can you hear the wind blow, and did you know
Your stairway lies on the whispering wind.
:wq
And when the moment is right, I'm gonna fly a kite.
2004-06-10, 5:12 AM #9
Try downloading and running CWShredder. Something like that happened to me a while ago, and that was how I fixed it.

------------------
I bet you think that's funny, don't you.
I bet you think that's funny, don't you.
2004-06-10, 6:16 AM #10
I had one, a malicious little toolbar called 'ISearch'. *******ly little thing, i even destroyed the source folder with Steganos Secrity, but obviously that didn't help. Ad-aware killed it, though (thanks Dor [http://forums.massassi.net/html/smile.gif])

------------------
"No good can ever come from staying with normal people"
-Outlaw Star
"Some people play tennis. I erode the human soul"
-Tycho, Penny Arcade
"I'm a Cannabal-Vegitarian. I will BBQ an employee if there is no veggie option"
-DX:IW
A Knight's Tail
Exile: A Tale of Light in Dark
The Never Ending Story²[/i]
A Knight's Tail
Exile: A Tale of Light in Dark
The Never Ending Story²
"I consume the life essence itself!... Preferably medium rare" - Mauldis

-----@%
2004-06-10, 6:35 AM #11
you could delete the folder, or ctrl-alt-dlt and end its running process, which should allow you to delete it if you couldn't already.

I speak from experience at deleting semi-undeletable spyware programs, though, not actual knowlege.

------------------
Steal my dreams and sell them back to me.....
Steal my dreams and sell them back to me.....
2004-06-10, 6:37 AM #12
well, like with my experience, the source folder could simply be a decoy, and the real programs are probably buried in the Windows folder somewhere.

------------------
"No good can ever come from staying with normal people"
-Outlaw Star
"Some people play tennis. I erode the human soul"
-Tycho, Penny Arcade
"I'm a Cannabal-Vegitarian. I will BBQ an employee if there is no veggie option"
-DX:IW
A Knight's Tail
Exile: A Tale of Light in Dark
The Never Ending Story²[/i]
A Knight's Tail
Exile: A Tale of Light in Dark
The Never Ending Story²
"I consume the life essence itself!... Preferably medium rare" - Mauldis

-----@%
2004-06-10, 7:04 AM #13
Thanks for all the suggestions, I've already used CWSShredder many times, It comes up clean, The program called 'Play Name.exe' in 'Program Files/style dead dog' automatically runs when I log into Windows, I end the process right after I log on, but would it be safe to just delete it? I'll look around for any suspicious things, there's an .exe in my temporary folder called rem4E.exe, I saw it running yesterday before I posted and ended it's process because I've never seen it before, could it be part of the problem, explorer crashes when I try to view the properties of it.

------------------
*Takes out his blaster and fires shots at the wall, the blastmarks leave the words "S-TROOPER WUZ 'ERE!!!"

[This message has been edited by Stormtrooper (edited June 10, 2004).]
2004-06-10, 7:29 AM #14
Just found out that it's hijacking IE's homepage to this http://amazingautossearch.com/passthrough/index.html?http://about:blank
and the toolbar's name is called BLUESOAP andit comes up every time a page loads.

Ad-aware and Spybot still come up clean.

------------------
*Takes out his blaster and fires shots at the wall, the blastmarks leave the words "S-TROOPER WUZ 'ERE!!!"
2004-06-10, 9:42 AM #15
I got something like that just before Christmas last year... nasty little bugger it was too. Everytime I would try and fight it by deleting it, it would come back and copy itself into more locations. It got so bad I eventually had to reformat the hard drive.

------------------
Wiggle your big toe.
Wiggle your big toe.
Wiggle your big toe.
Wiggle your big toe.
Stuff
2004-06-10, 10:14 AM #16
Storm- Yes. Delete it. That's not a core windows file, and I can't think of any games that would autorun on boot...

There is a program... Hijack This. It's amazing. Run adaware, spybot, and anything else you have, and then run this baby. ***WARNING*** It doesn't look for bad things. Repeat: IT DOESN'T LOOK FOR BAD THINGS!! If you go trigger happy, you're computer will NOT survive. [http://forums.massassi.net/html/tongue.gif] Read through all the descriptoins however, because some are bad. So if you recognize any as being bad, or not necessary... delete them.

Kyle, We had the same problem you did, and after we ran this program, it was solved. We were running adaware, cleaning the system, reboot, run adware again, and we had 500 new things. It was /horrid./ We ran this, and we've never had over 3 since then. (This was about 3 months ago)

------------------
[16:38] Correction: dick tracy was a real man
[16:38] happydud: Actually... He wasn't. :D
[19:08] Dormouse: hi, my name's happydud and i'm passive-aggress.. SHUTUP!! *stabs nearby orphan*
[You have gained 3 Dark Side Points]
My Parkour blog
My Twitter. Follow me!
2004-06-10, 10:25 AM #17
Quote:
<font face="Verdana, Arial" size="2">Originally posted by happydud:
Storm- Yes. Delete it. That's not a core windows file, and I can't think of any games that would autorun on boot...

There is a program... Hijack This. It's amazing. Run adaware, spybot, and anything else you have, and then run this baby. ***WARNING*** It doesn't look for bad things. Repeat: IT DOESN'T LOOK FOR BAD THINGS!! If you go trigger happy, you're computer will NOT survive. [http://forums.massassi.net/html/tongue.gif] Read through all the descriptoins however, because some are bad. So if you recognize any as being bad, or not necessary... delete them.

Kyle, We had the same problem you did, and after we ran this program, it was solved. We were running adaware, cleaning the system, reboot, run adware again, and we had 500 new things. It was /horrid./ We ran this, and we've never had over 3 since then. (This was about 3 months ago)

</font>


Hijackthis. Yes, great program. Just use common sense, and be very careful. BTW, how's the kittens? [http://forums.massassi.net/html/biggrin.gif]

------------------
There is no signature
D E A T H
2004-06-10, 10:27 AM #18
... Kittens? ::lost::

------------------
[16:38] Correction: dick tracy was a real man
[16:38] happydud: Actually... He wasn't. :D
[19:08] Dormouse: hi, my name's happydud and i'm passive-aggress.. SHUTUP!! *stabs nearby orphan*
[You have gained 3 Dark Side Points]
My Parkour blog
My Twitter. Follow me!
2004-06-10, 10:36 AM #19
Browser hijackers suck. I regard the scumbag webmasters who employ such tactics to be no better than kiddie porn dealers. They all deserve to die, IMO.

CWShredder should be able to help you, but also check your startup file for anything suspicious by typing "msconfig' in the run prompt. Be careful, though.

If you do have a coolwebsearch parasite (or any varient) then you should find a file called bootconf.exe in your startup list.

remove it from the startup list and then delete it by looking for it in the system32 folder.

------------------
Old aunts used to come up to me at weddings, poking me in the ribs and cackling, telling me, "You're next." They stopped after I started doing the same thing to them at funerals.

[This message has been edited by Pagewizard_YKS (edited June 10, 2004).]
2004-06-10, 10:38 AM #20
i was once a kitten
░▒▓█▓▒░?░▒▓█▓▒░
2004-06-10, 10:52 AM #21
Yup. CWShredder is what you need.

http://www.spywareinfo.com/~merijn/cwschronicles.html

------------------
I bet you think that's funny, don't you.
I bet you think that's funny, don't you.
2004-06-10, 10:57 AM #22
It's official. You're an idiot.

------------------
Titan A.E.
Titan A.E.
2004-06-10, 3:23 PM #23
Quote:
<font face="Verdana, Arial" size="2">Originally posted by Jazzkokehead:
Yup. CWShredder is what you need.

http://www.spywareinfo.com/~merijn/cwschronicles.html

</font>


Quote:
<font face="Verdana, Arial" size="2">Originally posted by Pagewizard_YKS:
CWShredder should be able to help you.</font>


Um, you guys all realize that he said he already tried it and it came up clean?

Anyway, i suggest going to 'Run' in the start menu, putting in 'msconfig' (just loose the quotation marks), going to the 'Startup' tab, and see if that 'Play Name' file is in there. if it is, uncheck it, and hit apply. this will stop the program from loading on startup. however, you will still need to destroy the program.

------------------
"No good can ever come from staying with normal people"
-Outlaw Star
"Some people play tennis. I erode the human soul"
-Tycho, Penny Arcade
"I'm a Cannabal-Vegitarian. I will BBQ an employee if there is no veggie option"
-DX:IW
A Knight's Tail
Exile: A Tale of Light in Dark
The Never Ending Story²[/i]
A Knight's Tail
Exile: A Tale of Light in Dark
The Never Ending Story²
"I consume the life essence itself!... Preferably medium rare" - Mauldis

-----@%
2004-06-10, 4:31 PM #24
Thats what I was going to suggest...^^

------------------

"Bantha's are filthy animals.......I don't eat filthy animals."

"Laugh it up Fuzzball!"
-Han Solo
2004-06-10, 4:36 PM #25
My mom is always saying "But it said that it was going to protect my computer!!!"

------------------
"His Will Was Set, And Only Death Would Break It"

"None knows what the new day shall bring him"
"His Will Was Set, And Only Death Would Break It"

"None knows what the new day shall bring him"
2004-06-10, 5:17 PM #26
And then you should chain her to a wall and say "This will help protect the computer."

------------------
[16:38] Correction: dick tracy was a real man
[16:38] happydud: Actually... He wasn't. :D
[19:08] Dormouse: hi, my name's happydud and i'm passive-aggress.. SHUTUP!! *stabs nearby orphan*
[You have gained 3 Dark Side Points]
My Parkour blog
My Twitter. Follow me!
2004-06-15, 4:44 AM #27
Sorry for not responding everyone, I've been away from home with no access to a computer, I'm getting Hijack This rigt now. I took the program out of startup from msconfig, and I deleted the file. I'm hoping all this works, I'll update after I run Hijack This.

Oh, and Yoshi, the kittens are fine. [http://forums.massassi.net/html/smile.gif]

------------------
*Takes out his blaster and fires shots at the wall, the blastmarks leave the words "S-TROOPER WUZ 'ERE!!!"

[This message has been edited by Stormtrooper (edited June 15, 2004).]
2004-06-15, 5:15 AM #28
Here's the logfile from Hijack This:
Code: 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.massassi.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8FE1A7F8-98DE-2F68-A783-1133DC62417E} - C:\PROGRA~1\ABOUTM~1\holdacid.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D9A5DC60-3A09-4EC8-BBAF-F37BAC257162} - C:\WINDOWS\system32\ehjluhz.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BLUESOAP - {B91C43A7-40DA-EAA3-32B0-1F48DE9FC34E} - C:\PROGRA~1\ABOUTM~1\holdacid.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://tiger.fhsu.edu/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.6550115741
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{099B50A4-8FAD-4C23-8495-A8EC766A1A35}: NameServer = 164.113.48.1 164.113.63.1

I think it's the first 5 and these:
O2 - BHO: (no name) - {8FE1A7F8-98DE-2F68-A783-1133DC62417E} - C:\PROGRA~1\ABOUTM~1\holdacid.dll
O3 - Toolbar: BLUESOAP - {B91C43A7-40DA-EAA3-32B0-1F48DE9FC34E} - C:\PROGRA~1\ABOUTM~1\holdacid.dll

But I just want to have someone else who knows more about this to have a look at it.

------------------
*Takes out his blaster and fires shots at the wall, the blastmarks leave the words "S-TROOPER WUZ 'ERE!!!"
2004-06-15, 2:19 PM #29
Well you're log beat me to what I was going to suggest [http://forums.massassi.net/html/wink.gif] -> have a gander through your registry (cmd -> regedit -> HKEY_LOCAL_MACHINE (and then usually, "Software") and see if anything immediately stands out. Chances are, if you know the stuff you've installed yourself then it's easier to narrow down what shouldn't be there. Obviously this works in conjunction with finding the pesky little virus/spyware/adware files themselves that are lurking in your machine. Another word of caution (!) -> be very careful/sure that you don't need anything, when deleting info from the registry [http://forums.massassi.net/html/redface.gif]

Also, Noble's onto another sure-fire hit with the "cmd -> msconfig" suggestion. I'd do this first and then delete/uninstall any of the naughty processess that are running before going registry hunting (and deleting...) [http://forums.massassi.net/html/wink.gif]

With regard to the BlueSoap, I would get rid of it, but that's just my opinion. I did a Google search for "BlueSoap" as well as any information regarding "holdacid.dll" and it turned up nothing useful (in fact "nothing" is closer, unless you count "Did you mean Blue Soap?" {thank you for being ever helpful Google [http://forums.massassi.net/html/rolleyes.gif]}). Ultimately, you know your system far better than any of us, but for what its worth, I in my humble opinion, you have good cause to doubt those "fishy" entries... [http://forums.massassi.net/html/wink.gif] [http://forums.massassi.net/html/redface.gif]

Hope this helps [http://forums.massassi.net/html/biggrin.gif]

-Jackpot

------------------
"lucky_jackpot is the smily god..." - gothicX
"jackpot is an evil evil man... so evil, in fact, that he's awesome." - Seb

"Life is mostly froth and bubble, but two things stand in stone,
Kindness in another's trouble, courage in your own"
("Ye Wearie Wayfarer" - by Adam Lindsay Gordon)
"lucky_jackpot is the smily god..." -gothicX
"Life is mostly froth and bubble, but two things stand in stone,
Kindness in another's trouble, courage in your own" - "Ye Wearie Wayfarer"
|| AI Builder: compatible with both JK & MotS || My website ||

↑ Up to the top!