Weird..

yesterday i open a .jpg posted on a channel on irc
then i had a window ask me or not to reboot the system (windows 2000
sp4) to take in count the new changes

today when i turn on the computer
all the web site leads to a "fake" google.com
with this code in source http://217.117.55.52/damn.txt
i can't surf anymore, with any explorers
ideas ?

thx

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

ToYKillAS

From: "ToYKillAS" <>

| yesterday i open a .jpg posted on a channel on irc
| then i had a window ask me or not to reboot the system (windows 2000
| sp4) to take in count the new changes
|
| today when i turn on the computer
| all the web site leads to a "fake" google.com
| with this code in source http://217.117.55.52/damn.txt
| i can't surf anymore, with any explorers
| ideas ?
|
| thx
|


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

David H. Lipman wrote:
> From: "ToYKillAS" <>
>
> | yesterday i open a .jpg posted on a channel on irc
> | then i had a window ask me or not to reboot the system (windows 2000
> | sp4) to take in count the new changes
> |
> | today when i turn on the computer
> | all the web site leads to a "fake" google.com
> | with this code in source http://217.117.55.52/damn.txt
> | i can't surf anymore, with any explorers
> | ideas ?
> |
> | thx
> |
>
>
> For non-viral malware...
>
> Please download, install and update the following software...
>
> * Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
>
> * SpyBot Search and Destroy v1.4
> http://security.kolla.de/
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
> that may be on the PC.
>
> * BHODemon
> http://www.definitivesolutions.com/bhodemon.htm
>
> For viral malware...
>
> * Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
>
> * * * Please report back your results * * *
>
>

i just tried again to open a web pages
i had a login/password box
and in the task bar, the url http://www.codezoo.com/images/hp1.gif
going to be hard to download your software, coz i can't access web

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

ToYKillAS

ToYKillAS wrote:
> David H. Lipman wrote:
>
>>From: "ToYKillAS" <>
>>
>>| yesterday i open a .jpg posted on a channel on irc
>>| then i had a window ask me or not to reboot the system (windows 2000
>>| sp4) to take in count the new changes
>>|
>>| today when i turn on the computer
>>| all the web site leads to a "fake" google.com
>>| with this code in source http://217.117.55.52/damn.txt
>>| i can't surf anymore, with any explorers
>>| ideas ?
>>|
>>| thx
>>|
>>
>>
>>For non-viral malware...
>>
>>Please download, install and update the following software...
>>
>>* Ad-aware SE v1.06
>> http://www.lavasoft.de/
>> http://www.lavasoftusa.com/
>>
>>* SpyBot Search and Destroy v1.4
>> http://security.kolla.de/
>>
>>After the software is updated, I suggest scanning the system in Safe Mode.
>>
>>I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
>>that may be on the PC.
>>
>>* BHODemon
>> http://www.definitivesolutions.com/bhodemon.htm
>>
>>For viral malware...
>>
>>* Download MULTI_AV.EXE from the URL --
>> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>>
>>To use this utility, perform the following...
>>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>>Choose; Unzip
>>Choose; Close
>>
>>Execute; C:\AV-CLS\StartMenu.BAT
>>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>>
>>NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
>>FireWall to allow it to download the needed AV vendor related files.
>>
>>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>>This will bring up the initial menu of choices and should be executed in Normal Mode.
>>This way all the components can be downloaded from each AV vendor's web site.
>>The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>>
>>You can choose to go to each menu item and just download the needed files or you can
>>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>>
>>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>>file.
>>
>>
>>* * * Please report back your results * * *
>>
>>
>
>
> i just tried again to open a web pages
> i had a login/password box
> and in the task bar, the url http://www.codezoo.com/images/hp1.gif
> going to be hard to download your software, coz i can't access web
>
You *might* want to ask a friend to download the Mozilla Firefox
executable installer on a flash drive for you. Plug it in, install
Firefox, and start the downloads that David suggested...

--
the alt.privacy.spyware FAQ:
http://shplink.com/misc/FAQ.htm

shplink

shplink wrote:
> ToYKillAS wrote:
>
>> David H. Lipman wrote:
>>
>>
>>
>> i just tried again to open a web pages
>> i had a login/password box
>> and in the task bar, the url http://www.codezoo.com/images/hp1.gif
>> going to be hard to download your software, coz i can't access web
>>
> You *might* want to ask a friend to download the Mozilla Firefox
> executable installer on a flash drive for you. Plug it in, install
> Firefox, and start the downloads that David suggested...
>

it's all the time the same, with any explorer that i already have here
InternetExplorer, Firefox, Opera..
all url leads to fake page with that weirdo code
something had to be changed in the registry
i just finish an virus scan (G-Data2006) and a Ad-Aware scan
found nothing..

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

ToYKillAS

From: "ToYKillAS" <>


| it's all the time the same, with any explorer that i already have here
| InternetExplorer, Firefox, Opera..
| all url leads to fake page with that weirdo code
| something had to be changed in the registry
| i just finish an virus scan (G-Data2006) and a Ad-Aware scan
| found nothing..
|

What's G-Data2006 ?

Read the below. After you perform a "Clean Boot" then use Opera and/or FireFox. Avoid
using IE until the ssystem is deemed clean.

Ad-aware should be "Ad-aware SE v1.06."
If you have an older version, it should be removed and the newer version installed and
updated.

How to perform a clean boot in Windows XP
http://support.microsoft.com/kb/310353

Note You must be logged on as an administrator or a member of the Administrators group to
follow these steps. If your computer is connected to a network, network policy settings may
also prevent you from follow these steps. 1. Click Start, click Run, type msconfig in the
Open box, and then click OK.
2. On the General tab, click Selective Startup, and then clear the Process System.ini
File, Process WIn.ini File, and Load Startup Items check boxes. You cannot clear the Use
Original Boot.ini check box.
3. On the Services tab, select the Hide All Microsoft Services check box, and then
click Disable All.
4. Click OK, and then click Restart to restart your computer.
5. After Windows starts, determine whether the symptoms still occur.

Note Look closely at the General tab to make sure that the check boxes that you
cleared are still cleared. Continue to step 6 if none of the check boxes are selected. If
the Load System Services check box is the only disabled check box, your computer is not
clean-booted. If additional check boxes are disabled and the issue is not resolved, you may
require help from the manufacturer of the program that places a check mark back in Msconfig.

If none of the check boxes are selected, and the issue is not resolved, you may have
to repeat steps 1 through 5, but you may also have to clear the Load System Services check
box on the General tab. This temporarily disables Microsoft services (such as, Networking,
Plug and Play, Event Logging, and Error Reporting) and permanently deletes all restore
points for the System Restore utility. Do not do this if you want to retain your restore
points for System Restore or if you must use a Microsoft service to test the issue.
6. Click Start, click Run, type msconfig in the Open box, and then click OK.
7. On the General tab, select the Process System.ini File check box, click OK, and
then click Restart to restart the computer. If the issue continues, the issue is with an
entry in your System.ini file. If the issue does not continue, repeat this step for the
Process Win.ini File, Load Startup Items, and Load System Services check boxes until the
issue occurs. After the issue occurs, the last item that you selected is the item where the
issue is occurring.

Note Microsoft strongly recommends that you do not use System Configuration Utility to
modify the Boot.ini file on your computer without the direction of a Microsoft support
engineer. Doing so may make your computer unusable.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

David H. Lipman wrote:
> From: "ToYKillAS" <>
>
>
> | it's all the time the same, with any explorer that i already have here
> | InternetExplorer, Firefox, Opera..
> | all url leads to fake page with that weirdo code
> | something had to be changed in the registry
> | i just finish an virus scan (G-Data2006) and a Ad-Aware scan
> | found nothing..
> |
>
> What's G-Data2006 ?
>
> Read the below. After you perform a "Clean Boot" then use Opera and/or FireFox. Avoid
> using IE until the ssystem is deemed clean.
>
> Ad-aware should be "Ad-aware SE v1.06."
> If you have an older version, it should be removed and the newer version installed and
> updated.

i'm running windows 2000 sp4
the "msconfig" command doesn't work
and i can't upgrade my antivirus and adaware (can't connect on the website)

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

ToYKillAS

From: "ToYKillAS" <>

..
|
| i'm running windows 2000 sp4
| the "msconfig" command doesn't work
| and i can't upgrade my antivirus and adaware (can't connect on the website)
|

Go to the news Group: alt.binaries.comp.virus

See the post subjects:
MSCONFIG for use in windows 2000
Multi AV Scanning Tool

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>


| Go to the news Group: alt.binaries.comp.virus
|
| See the post subjects:
| MSCONFIG for use in windows 2000
| Multi AV Scanning Tool
|

I don't know why "MSCONFIG for use in windows 2000" never was posted.

I'll try a ZIP file with the Subject: For ToYKillAS
OK -- This time the post looked successful.
-----------

Go to the news Group: alt.binaries.comp.virus

See the post subjects:
For ToYKillAS
Multi AV Scanning Tool

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

ToYKillAS wrote:
> yesterday i open a .jpg posted on a channel on irc
> then i had a window ask me or not to reboot the system (windows 2000
> sp4) to take in count the new changes
>
> today when i turn on the computer
> all the web site leads to a "fake" google.com
> with this code in source http://217.117.55.52/damn.txt
> i can't surf anymore, with any explorers
> ideas ?
>
> thx
>

FIXED
i was ****ing scared and ready to finish forever to use windows
a friend told me to install: "Microsoft AntiSpyware"

and he found direclty (that Ad-Aware didn't find)

* WindUpdates
Type: Browser Plug-in
Threat Level: Severe
Author: WindUpdates.com

Description: WindUpdates downloads additional adware and displays pop-up
advertising.

* 180Solutions.SearchAssistant
Type: Adware
Threat Level: High
Author: 180Solutions

Description: 180Solutions.SearchAssistant monitors your current Web
browsing activity and displays pop-up advertisements related to the
Internet sites you are viewing.

* 7AdPower
Type: Browser Modifier
Threat Level: High
Author: 7H

Description: Software that changes browser settings, such as the
homepage, without adequate consent.

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

ToYKillAS