Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker Zyban-zucor-levitra.com


  • This topic is locked This topic is locked
5 replies to this topic

#1 dpmengefi

dpmengefi

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 15 October 2007 - 01:01 PM

Every time I start my computer the Outpost Anti-Spyware program reports that "zyban-zucor-levitra.com" has been found in the Windows Hosts file. Although I tell Outpost to remove this Hijacker it doesn't delete it completely because it returns every time the computer is started. I've scanned my computer with Ad-Aware 2007 and Spybot, but they don't find anything. The Outpost On-Demand Spyware Scanner finds this in the Windows Host file, but doesn't remove everything as it always returns.

Reading the CWSchredder Tutorial I saw that "zyban-zucor-levitra.com" is a variant of the Cool Web Search Hijacker. I downloaded the CWSchredder program (version 2.00) and tried to remove "zyban-zucor-levitra.com" with this. Although it finds a file called "uninsqup.exe" I didn't delete it as this is used for a program called Quick View Plus. After the scan is completed it reports that CoolWebSearch was not found.

Could someone please help me to remove "zyban-zucor-levitra.com" from my computer as it must be hiding somewhere for it not be 100% deleted with the Outpost Anti-Spyware program.

Thank you.

David

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:18 PM

Posted 15 October 2007 - 02:34 PM

A Hosts file maps an IP address to a name. The original purpose of hosts files was to map the proper address to a site's name but now its also used for blocking purposes. The "blocking effect" of a host file is not in the name being listed there, but rather by associating the name with the wrong IP address which prevents you from reaching that site.

Download hosts.zip and extract (unzip) to its own folder C:\hosts
(Click here for information on how to do this if not sure.)
You can read more about what we are doing here.

Open up the hosts folder and double-click on the mvps.bat file.
The script will rename your present HOSTS file to HOSTS.MVP and copy the new HOSTS file to the correct location on your system.
MVPS HOSTS File Install Instructions with graphics if you need them.

Download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Reboot in "SAFE MODE using the F8 method and launch SUPERAntispyware.
  • In the main screen, under "Scan for Harmful Software" click Scan your computer.
  • There are three scanning options. Choose "Perform Complete Scan" and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure they all have a checkmark next to them and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to reboot, click "Yes".
  • If not, select Close to exit the program and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dpmengefi

dpmengefi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 16 October 2007 - 04:22 AM

Thank's for your prompt reply.

I did everything you explained, but unfortunately the problem is not solved. Using SUPERAntiSpyware Free in the Safe Mode it found an Adware Tracking Cookie which looked to have nothing to do with the "zyban-zucor-levitra.com" Hijacker. I deleted this Adware Tracking Cookie after completing the scan.

When I rebooted the computer the Outpost Anti-Spyware program reports that "zz.cqcounter.com" has been found in the Windows Hosts file. A few minutes after Outpost had removed this, my anti-virus program informed me that an attempt was made to change the Hosts file and asked if I want to allow this. I do not know if I should click "yes" or "no".

Any suggestions how I can sort this problem out with the Hosts file? "zyban-zucor-levitra.com" has now been replaced by "zz.cqcounter.com".

Thank you.

David

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:18 PM

Posted 16 October 2007 - 07:38 AM

We need to identify the malware that keeps changing your host file by creating a hijackthis log.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dpmengefi

dpmengefi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 11 December 2007 - 06:55 AM

Hi quiteman7,

You asked me to post a link here that I've received help from the HJT team. Here is the link.

http://www.bleepingcomputer.com/forums/ind...22&t=114044

Thanks for your help you've given in solving this problem.

David

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:18 PM

Posted 11 December 2007 - 11:22 AM

I see you are already getting assistance. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users