Help! Serious dial-up problem.
Discussion
Further to my previous problem of the dial-up box appearing unwanted whenever my computer booted up, things have gone from annoying to serious.
Basically, I can no longer log on to the Internet using Internet Explorer. Or rather I can, but no matter what I type in, I end up with www.smart-finder.biz/pistonheads (or whatever)
When the page is loading it actually shows at the bottom as www.nkvd.us/pistonheads (or whatever).
I've only managed to log on to post this by typing the URL in Word to form a hyperlink.
Looks like I've picked up a worm or something from one of the affiliate directory sites I was researching the other weekend, because the problem only started after that. My updated Norton AV 2002 can't find anything though
So is there any way I can A) identify the little sod, and B) get rid of it.
Thanks
Basically, I can no longer log on to the Internet using Internet Explorer. Or rather I can, but no matter what I type in, I end up with www.smart-finder.biz/pistonheads (or whatever)
When the page is loading it actually shows at the bottom as www.nkvd.us/pistonheads (or whatever).
I've only managed to log on to post this by typing the URL in Word to form a hyperlink.
Looks like I've picked up a worm or something from one of the affiliate directory sites I was researching the other weekend, because the problem only started after that. My updated Norton AV 2002 can't find anything though
So is there any way I can A) identify the little sod, and B) get rid of it.
Thanks
Couldn't find the exact problem on Symantec's website, but from the symptoms it looks similar to this one:
W32.Bitzen
The one you have could have modified your Windows/IE Registry settings in the same way.
One day I'd like to meet one of the authors of these...
W32.Bitzen
The one you have could have modified your Windows/IE Registry settings in the same way.
One day I'd like to meet one of the authors of these...
Well, have downloaded and run Ad-aware, which found and supposedly removed some scamware and stuff, but the problem persists. I'll see if that W32.Bizten is listed in my AV list.
Think I might also check to try and find out who the bastards behind www.nkvd.us and www.smart-finder.biz are.
Think I might also check to try and find out who the bastards behind www.nkvd.us and www.smart-finder.biz are.
Thanks for the extra info guys. Have checked my AV and found W32.Bizten listed, so doesn't look like it's that.
Have also done a domain search and found both offending URLs registered to a Francesco Bertoni, so one way or another this problem is down to him.
Are there any authorities I can report this to to try and get the bastard's sites pulled?
Have also done a domain search and found both offending URLs registered to a Francesco Bertoni, so one way or another this problem is down to him.
Are there any authorities I can report this to to try and get the bastard's sites pulled?
hut49 said:
..but have you tried SpyBot yet? Norton AV ain't going to do it for you.
Nope. Where can I get it from?
Have tried simpo two's suggestion and ended up with 6 listings in two columns headed Name and Data, though haven't deleted anything as I'm not that confident.
Possibly the most likely are two named Search and SearchURL, both of which come with an icon that looks like a small square of torn paper with ab on it. Both have "www.nkvd.us/s.htm" in the data column.
Any idea what'll happen if I delete them?
Thanks again.
grahambell said:
Possibly the most likely are two named Search and SearchURL, both of which come with an icon that looks like a small square of torn paper with ab on it. Both have "www.nkvd.us/s.htm" in the data column.
Any idea what'll happen if I delete them?
I think - but I'm not sure, that that's the name of the search engine it will default to. If you replace it with 'www.google.co.uk' I can't see you'd do any damage.
As the Air Traffic Controllers say 'At your discretion'.
There's a free version of the NOD32 antivirus program here -
http://b1.edskes.com/nod32_20040112.exe
(I hate posting .exe files, but this seems rather good - spotted a few things that AVG missed on my PC
)
From here originally - http://home.hccnet.nl/h.edskes/finalbuilds.htm
>> Edited by polar_ben on Wednesday 14th January 06:50
http://b1.edskes.com/nod32_20040112.exe
(I hate posting .exe files, but this seems rather good - spotted a few things that AVG missed on my PC
) From here originally - http://home.hccnet.nl/h.edskes/finalbuilds.htm
>> Edited by polar_ben on Wednesday 14th January 06:50
grahambell said:
Having now rebooted my computer I'm finding that the dial-up box still appears on start up and shut down, so there's still something wrong somewhere.
Main thing is that I can actually connect to the net OK now, so might just live with the irritation.
This sounds to me as though there is an application being run at startup and shutdown that is trying to send some data to the Internet.
When you downloaded AdAware and Spybot, did you update them with the latest reference files? If not, try doing this as the AdAware program available from the mirror sites appears to have been produced back in July. Any new spyware since then won't be recognised by the vanilla program, but will be if it's updated with the latest references.
If none of this succeeds, you may need to start getting dirty with the Registry which is a potentially dangerous thing to do and not to be taken lightly unless you're accustomed to hacking it about.
This just gets worse. Did an update on Spybot, ran another scan and found some more crap. Dealt with that, but still getting dial-up box on start-up.
Then when trying to load a page on PH I suddenly get a 'web page unavailable' page up. Try refresh, and get that www.nkvd.us shit trying to muscle in again.
Ran Spybot again, got 2 more crap files so dealt with those, but now can't load pages at all. Doesn't matter what I do, all I can get is 'web page unavailable'.
Godfrey H sent me an e-mail saying it looks like a trojan dialer hijack and suggested loading Hijack this, but as I can't connect it's not possible. Only reason I'm able to post this is that I've shoved an old HD in. E-mail still seemed to work though.
So guys, any ideas what I can do to sort this out. Uninstall and reinstall Internet Explorer? Go the whole hog and format the HD? Or is there a way I can identify where/what is trying to dial up on start up so that I can delete it?
Then when trying to load a page on PH I suddenly get a 'web page unavailable' page up. Try refresh, and get that www.nkvd.us shit trying to muscle in again.
Ran Spybot again, got 2 more crap files so dealt with those, but now can't load pages at all. Doesn't matter what I do, all I can get is 'web page unavailable'.
Godfrey H sent me an e-mail saying it looks like a trojan dialer hijack and suggested loading Hijack this, but as I can't connect it's not possible. Only reason I'm able to post this is that I've shoved an old HD in. E-mail still seemed to work though.
So guys, any ideas what I can do to sort this out. Uninstall and reinstall Internet Explorer? Go the whole hog and format the HD? Or is there a way I can identify where/what is trying to dial up on start up so that I can delete it?
OK
Really long story cut short..
Adaware and spybot must be used daily if you use the web a lot. They pick up difeernt things.
I ahd a malicious litle thing that wasneither spyware or virus that would either try and dial a premium rate numebr (no modem as on ADSL - dangerous if you have auto dial though!!). If it cannot it tries to send a mail to aups@online-dialer.com and also goes to the website www.online-dialer.com and gets anther version of the exe that does this. The URL is owned bu a company on Gibraltar called haldex ltd.
I have installed Norton Internet security and watched the activity and traced the urls and asked them to help. Nowt!
Edited the registry to remove the name of the registry and seems ok. If I reboot - it tries again. Remove and it is OK..
As was said before, if I get hold of thes scrotes.
Why do they do this?
Really long story cut short..
Adaware and spybot must be used daily if you use the web a lot. They pick up difeernt things.
I ahd a malicious litle thing that wasneither spyware or virus that would either try and dial a premium rate numebr (no modem as on ADSL - dangerous if you have auto dial though!!). If it cannot it tries to send a mail to aups@online-dialer.com and also goes to the website www.online-dialer.com and gets anther version of the exe that does this. The URL is owned bu a company on Gibraltar called haldex ltd.
I have installed Norton Internet security and watched the activity and traced the urls and asked them to help. Nowt!
Edited the registry to remove the name of the registry and seems ok. If I reboot - it tries again. Remove and it is OK..
As was said before, if I get hold of thes scrotes.
Why do they do this?
Hi Graham if you send me your email address I will send you Hijackthis as an email attachment. It is small enough to store on a floppy. The email wiil be from my main domain with the title "Your computer problems from PH". Once we have cleared this problem (says he confidently) we need to review your computer security.
Do you have a firewall and are you upto-date with the
Microsoft security patches?
Doh! The penny has just dropped. You have the coolwebsearch (CWS) trojan. Spybot and Adaware won't remove this trojan, you need a special CWS removal tool. Go to www.spywareinfo.com/~merijn/cwschronicles.html
to get the removal tool. OOPs! sorry you can't, send me your email address and I'll email it to you later today.(well I haven't had my coffee yet that's my excuse for being thick)
logsofftogetcoffeebeforeanymorestupidmistakes
>> Edited by Godfrey H on Thursday 15th January 06:15
>> Edited by Godfrey H on Thursday 15th January 07:44
>> Edited by Godfrey H on Thursday 15th January 07:52
Do you have a firewall and are you upto-date with the
Microsoft security patches?
Doh! The penny has just dropped. You have the coolwebsearch (CWS) trojan. Spybot and Adaware won't remove this trojan, you need a special CWS removal tool. Go to www.spywareinfo.com/~merijn/cwschronicles.html
to get the removal tool. OOPs! sorry you can't, send me your email address and I'll email it to you later today.(well I haven't had my coffee yet that's my excuse for being thick)
logsofftogetcoffeebeforeanymorestupidmistakes
>> Edited by Godfrey H on Thursday 15th January 06:15
>> Edited by Godfrey H on Thursday 15th January 07:44
>> Edited by Godfrey H on Thursday 15th January 07:52
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff