spy ware

[Mike Bright MSP]

Which SpyWare package did you buy??

Can you detail a little more about what is actually
happening???

Also, as your purchased Spyware didnt work, give Ad-Aware
a try (www.lavasoftusa.com), it's free and it's normally
very very good.

Try it and post back if you still have the spyware issue
and well walk through removing it

Regards

Mike Bright MCP, MSP

 

[Mike Bright MSP]

Mike,

What happens if you change the home page through internet
explorer. Oh and by the way the res:// bit means the file
is being stored locally on your machine.

In windows do a search for:

uyqyi.dll

See if it find's the file

Regards

Mike Bright MCP, MSP

 

[MowGreen [MVP]]

mike,

Hate to inform you that this is a Cool Web Search variant of :
http://forum.aumha.org/viewtopic.php?t=6207&start=0&postdays=0&postorder=asc&highlight=

Unfortunately, it's evolved and the removal method laid out in the
above link may not resolve the issue. The .dll file will keep
renaming itself but these entries will repeatedly appear in the
Hijack This Log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\<randomname>.dll/sp.html#<randomnumber>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://<randomname>.dll/index.html#<randomnumber>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= res://<randomname>.dll/index.html#<randomnumber>
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\<randomname>.dll/sp.html#<randomnumber>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\<randomname>.dll/sp.html#<randomnumber>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://<randomname>.dll/index.html#<randomnumber>

You have to stop the process and edit the registry to remove it.
The problem is identifying the specific process. To do so one must
boot to Safe Mode, enable "Show hidden files and folders", run an AV
scan, and then run CWShredder, AdAware, and Spybot
( links to programs can be found here --
http://www.siena.edu/antivirus/Spyware/default.html ).

Then scan with HJT and look for entries such as these :

O4 - HKLM\..\RunOnce: [netyh32.exe] C:\WINDOWS\netyh32.exe
or
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} -
C:\WINDOWS\msopt.dll

The O4 entry may/will have a different named .exe file .
The O18 entry may/will have a different CLSID
( B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D is another known one ) but
the msopt.dll entry is common in this CWS variant.
You can then edit the registry and remove the keys as laid out here:
http://www.kephyr.com/spywarescanner/library/msopt/index.phtml
Reboot to Safe Mode, run HJT, and remove the CWS entries.

OR, skip all of the above and try this untested tool here :
http://www.hsremove.com/
------------------------------------------
WARNING : THIS TOOL HAS NOT BEEN TESTED. No recommendation nor
endorsement of it is acknowledged. Not responsible for any damage
to your system or nerves.
DO NOT USE IT unless you first make a manual restore point and
know : How to start the System Restore tool at a command prompt
in Windows XP http://support.microsoft.com/?kbid=304449
---------------------------------------------


MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Mike Bright MSP]

Cheers MowGreen, was A while since I check that site, it
was direct out of an e-mail from age's ago :d

Mike Bright MCP, MSP

 

[Guest]

Ignore the last post Outlook did a number on me and
messed up the post I was reading

Doh....!

Mike