Spyware Forum

[~ Free Spirit ~]

I did register but don't understand how to use a Forum. I can't locate any
information there concerning Spybot "Not Responding" locking up, failing to
download the new files, or inability to remove Secret-Crush - which it says
is in MEMORY and can't be removed. A reboot and re-run still can't remove
it. I've re-installed Spybot several times from different mirror sites and
the exact same problems occur.

Does anyone know what Secret-Crush is? A Google search last night brought
up no info on worms, scum-ware etc.

FS...........

 

[GK]

I did register but don't understand how to use a Forum. I can't locate any
information there concerning Spybot "Not Responding" locking up, failing to
download the new files, or inability to remove Secret-Crush - which it says
is in MEMORY and can't be removed. A reboot and re-run still can't remove
it. I've re-installed Spybot several times from different mirror sites and
the exact same problems occur.

Does anyone know what Secret-Crush is? A Google search last night brought
up no info on worms, scum-ware etc.

FS...........

Secret Crush is a hijacker. You need to learn to use Google better.

 

[GK]

Secret Crush is a hijacker. You need to learn to use Google better.

Here's the details:

http://www.pestpatrol.com/PestInfo/s/secret-crush.asp

 

[~ Free Spirit ~]

Secret Crush is a hijacker. You need to learn to use Google better.

===========================
I just located it on the Spybot website - but can't find out how to remove
it. How is it removed?????

FS..........

 

[~ Free Spirit ~]

** I've never been GOOD on finding things on the web - sorry.

Here's the details:

http://www.pestpatrol.com/PestInfo/s/secret-crush.asp

** Thanks... I need to know how to FIND it and remove it now..... :*(

FS............

 

[anonymous]

Try the HELP inside spybot. Go thru the tutorial inside
HELP inside spybot. Learn to use your online help files.

Knowledge. Follow advice. Study....Learn.

 

[GK]

** I've never been GOOD on finding things on the web - sorry.



** Thanks... I need to know how to FIND it and remove it now..... :*(

FS............

Okay, first, you need to have some faith. If Spybot tells you the location,
then that's where it is. Don't say you don't have Local Service if it
says it is there. You need to figure out how to get there. Once you do,
you can do it manually, but it's possible you may have to do it through
safe mode. Carefully search for that folder using the search tool - with
Win explorer - whatever. I'm sure you must have it. Let us know. Once
you locate it, try and delete the file manually. If you can't, come back
for plan B. Normally, malware programs can delete the the parasites
automatically, or after a boot-up, but not always.

 

[~ Free Spirit ~]

Here's the details:

http://www.pestpatrol.com/PestInfo/s/secret-crush.asp

================
Thanks so much.... we THINK we got rid of it.....
This is an excellent website.

FS............

 

[GK]

================
Thanks so much.... we THINK we got rid of it.....
This is an excellent website.

FS............

YW, and I hope so :>)

 

[~ Free Spirit ~]

Okay, first, you need to have some faith. If Spybot tells you the location,
then that's where it is. Don't say you don't have Local Service if it
says it is there. You need to figure out how to get there. Once you do,
you can do it manually, but it's possible you may have to do it through
safe mode. Carefully search for that folder using the search tool - with
Win explorer - whatever. I'm sure you must have it. Let us know. Once
you locate it, try and delete the file manually. If you can't, come back
for plan B. Normally, malware programs can delete the the parasites
automatically, or after a boot-up, but not always.

===========
This is really bizarre! The parasite was installed in/with the ie6 browser
and called a Hijacker (Secret-Crush). Since it loaded into memory when the
PC booted Spybot couldn't remove it. By going to Tools/Options/Programs and
clicking on RESET WEB SETTINGS it seems to be gone - we still can't find it!
Using the SEARCH for all files and folders doesn't find it and didn't before
we did this.
We still cannot follow the path on the tree since these places do not exist
on this PC with XP-Home. For example - this is from the Spybot report of my
PC =

Secret-Crush: Autostart item
C:\Documents and Settings\Network Service\Start
Menu\Programs\Startup\\start.exe.

And about 20 more that were similar - but there is no "Network Service"
under D&S'ings! There was no Secret-Crush in Startup or start.
There were so many and NONE were found on my PC such as there is *NO LOCAL
SERVICE* under D&S'ing either.... it was impossible to find these things
and "FIND all files and folders" couldn't find them either.

This scum-ware is still on the PC but we don't know WHERE since none of the
folders Spybot said they're in can be located. And YES, we have it set to
show all hidden folders, files and file extensions.

FS...........

 

[GK]

===========
This is really bizarre! The parasite was installed in/with the ie6 browser
and called a Hijacker (Secret-Crush). Since it loaded into memory when the
PC booted Spybot couldn't remove it. By going to Tools/Options/Programs and
clicking on RESET WEB SETTINGS it seems to be gone - we still can't find it!
Using the SEARCH for all files and folders doesn't find it and didn't before
we did this.
We still cannot follow the path on the tree since these places do not exist
on this PC with XP-Home. For example - this is from the Spybot report of my
PC =

Secret-Crush: Autostart item
C:\Documents and Settings\Network Service\Start
Menu\Programs\Startup\\start.exe.

And about 20 more that were similar - but there is no "Network Service"
under D&S'ings! There was no Secret-Crush in Startup or start.
There were so many and NONE were found on my PC such as there is *NO LOCAL
SERVICE* under D&S'ing either.... it was impossible to find these things
and "FIND all files and folders" couldn't find them either.

This scum-ware is still on the PC but we don't know WHERE since none of the
folders Spybot said they're in can be located. And YES, we have it set to
show all hidden folders, files and file extensions.

FS...........

It's there, Dear. Do what D.currie says: uncheck hide unprotected operating
system files.

Tools, folder options, view, uncheck hide unprotected operating system files.
And go get 'em!

 

[GK]

It's there, Dear. Do what D.currie says: uncheck hide unprotected operating
system files.

Tools, folder options, view, uncheck hide unprotected operating system
files.
And go get 'em!

The above instructions are for windows explorer - not Internet explorer.

 

[~ Free Spirit ~]

The above instructions are for windows explorer - not Internet explorer.

==================
Yes, windows explorer. We found NetworkService after a reboot, but there
is no "Start Menu" under it - how do we locate the Start Menu there when it
can't be seen - ALL protected files have been liberated in WE. All are
showing now. ALL OF THEM unless XP has some you can't expose in any way. Is
there a secret way to expose *other* hidden files not in the
Tools/folder-options/View window?

We have Display the contents of System folders checked and SHOW hidden files
and folders checked. What's left?

FS.........

 

[David Candy]

Local Service et al aren't real users so don't need and can't use a start menu. Therefore they don't have one. Your program might be hiding by creating these folders. To find a folder type it in Start Run

"C:\Documents and Settings\Network Service\Start Menu\Programs\Startup\\start.exe"
[enclosed in inverted commas because it has a space in the name]

You can type just the last folder to find it if it's in Windows or your profile directory (type temp [this is the one when no user is logged in - type %temp% to see yours] and sendto as an experiment)

 

[GK]

==================
Yes, windows explorer. We found NetworkService after a reboot, but there
is no "Start Menu" under it - how do we locate the Start Menu there when it
can't be seen - ALL protected files have been liberated in WE. All are
showing now. ALL OF THEM unless XP has some you can't expose in any way. Is
there a secret way to expose *other* hidden files not in the
Tools/folder-options/View window?

We have Display the contents of System folders checked and SHOW hidden files
and folders checked. What's left?

FS.........

No, there's no more to show, so we are kind of screwed. Here's what I'd do at this
juncture. Use your search tool and search for start.exe, see what pops up. If nothing
pops up, search for "start menu" (no quotes). You should see several directories, see
if any resemble the path your were given by spybot. Let us know what you get.

 

[MAP]

-----Original Message-----
I did register but don't understand how to use a Forum. I can't locate any
information there concerning Spybot "Not Responding" locking up, failing to
download the new files, or inability to remove Secret- Crush - which it says
is in MEMORY and can't be removed. A reboot and re-run still can't remove
it. I've re-installed Spybot several times from different mirror sites and
the exact same problems occur.

Does anyone know what Secret-Crush is? A Google search last night brought
up no info on worms, scum-ware etc.

FS...........


.http://www.pestpatrol.com/Search/SearchPestInfo.asp? qu=secert-crush&sc=%2FPestInfo%2F&Action=Go

 

[Gene K]

Two things to do:
1. Go here and get "HijackThis" to pull this kind of stuff:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
2. Go here and get AdAware which is similiar to Spybot: www.lavaware.com.

 

[~ Free Spirit ~]

Local Service et al aren't real users so don't need and can't use a start
menu. Therefore they don't have one. Your program might be hiding by
creating these folders. To find a folder type it in Start Run

"C:\Documents and Settings\Network Service\Start
Menu\Programs\Startup\\start.exe"
[enclosed in inverted commas because it has a space in the name]

** It says that This Location is unavailable or Cannot be found etc. It
said the information may have been moved. That it may be on another disk
(our PC has only one HD).

You can type just the last folder to find it if it's in Windows or your
profile directory (type temp [this is the one when no user is logged in -
type %temp% to see yours] and sendto as an experiment)

** All I get is a "Windows cannot find start.exe. Make sure you spelled it
correctly ...."
Typing in %temp% brought up some window I'm not familiar with, with one
unknown file in it, plus a few things on the left hand side.
Just an aside here. Both of us learned W95, then W98 rapidly. We're not
doing so well with WXP-Home even with the Dummies Book and a lot of online
reading. Finding files and folders is the biggest problem. The search
feature called FIND doesn't always work and is extremely slow. And why are
all my folders in Documents also showing under C:/ drive? And there seems
to be folders for other users and there aren't any "other users." It's
very confusing.....

The ONLY features we really like are the thumbnails/slideshow and easy
backup CD burner (unless HP added that - not MMJ which sucks).


FS..........

 

[~ Free Spirit ~]

================================================> >

No, there's no more to show, so we are kind of screwed. Here's what I'd do at this
juncture. Use your search tool and search for start.exe, see what pops up.

## The only START.EXE that popped up was START.EXE C:\windows\SMINST .

If nothing

pops up, search for "start menu" (no quotes). You should see several directories, see
if any resemble the path your were given by spybot. Let us know what you

get.

## It just leads me to things I KNOW that are supposed to StartUp - nothing
anywhere that says Secret-Crush or that looks suspicious. Where can this
scumware be hiding???? We've put hours into this Hijacker already and since
we reset that browser thing Spybot isn't picking it up anymore. Could
Spybot have removed it?

Greg K...Intermediate knowledge. Follow any advice at your own risk.

FS..........

 

[~ Free Spirit ~]

Two things to do:
1. Go here and get "HijackThis" to pull this kind of stuff:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
2. Go here and get AdAware which is similiar to Spybot: www.lavaware.com.

==================
OK... this is what I got.

Logfile of HijackThis v1.97.7
Scan saved at 8:11:53 PM, on 1/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\ULTIMA~1.7\uzip.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\Q6CD13SF\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.heartoftn.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=127.0.0.1:83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://us8.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client]
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Dpcstart.lnk = C:\Program
Files\DIRECWAY\BIN\dpcstart.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program
Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program
Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37986.9347453704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{9335017D-A7D2-4BE3-B418-D811503F1DBE}:
Domain = direcway.com
O17 -
HKLM\System\CCS\Services\Tcpip\..\{9335017D-A7D2-4BE3-B418-D811503F1DBE}:
NameServer = 66.82.4.8