Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Tenacious Spyware Problem (Vanity)
6/16/04 | Me, Myself, and I

Posted on 06/16/2004 10:42:22 AM PDT by Born Conservative

Please excuse the vanity (this is my first vanity post). I am having a problem with spyware. It started when my 11 year old son installed a "really cool" screensaver on the computer (running XP Home) from "screensaver.com". As soon as he told me he did that, I knew that I was up the creek without a paddle. So, I ran Spybot, and then Ad Aware, and "fixed" my Spyware problems. Right. Needless to say, my computer is still infested.

I then did some searching on the web,and downloaded Hijack This, since my browser was hijacked to a different home page (msn.com). Since I wasn't sure which programs were spyware, and which were not, I haven't "fixed" them with Hijack This yet. I also downloaded Aluria's free spyware scanner, and it shows 17 spyware files. The files include Wild Tangent, IWon, Cydoor, 2020Search, Comet Cursor, WhenUSave, and MyWay Speedbar. I did re-run the SpyBot and AdAware, as well as CWShredder (run in Safe Mode), but the spyware persists. I am also up to date on all Windows updates. Any help would be appreciated. I do have a log file from the Hijack This if that would help.


TOPICS: Miscellaneous; Your Opinion/Questions
KEYWORDS: help; spyware
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 101-106 next last
To: Born Conservative
"since my browser was hijacked to a different home page (msn.com). "

Same problem here, Bump for solutions.

21 posted on 06/16/2004 10:52:14 AM PDT by No Blue States
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative

Try running AdAware with the "Deep Scan" option activated (or something like that). It takes alot longer because it goes through 120,000+ files instead of 35,000 or so, but I do this every couple of weeks and I haven't had a problem since my last disaster in early May.


22 posted on 06/16/2004 10:52:27 AM PDT by Alberta's Child ("Ego numquam pronunciare mendacium . . . sed ego sum homo indomitus")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Terpfen

The problem with your suggestion is that when little Tommy voluntarily downloads the spyware file nothing can be done by "immunization" feature on Spybot S&D or SpyBlaster.


23 posted on 06/16/2004 10:52:45 AM PDT by mlbford2 (Sorry for spelling errors, I'm a product of a state university)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Kerretarded

Log File:

Logfile of HijackThis v1.97.7
Scan saved at 6:26:02 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ClipCache\clipc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PORTMA~1.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PORTMA~1.EXE" -Run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E-&mail Page - C:\WINDOWS\Web\Mailto_URL.HTM
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/php/globals/tif_viewer/activex/viewdw32.ocx
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.8200578704
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/blasterball2Remix/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab


24 posted on 06/16/2004 10:52:54 AM PDT by Born Conservative ("Nothing wrong with shooting as long as the right people get shot" - Dirty Harry)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Bluntpoint; Born Conservative; Clara Lou
Try running your anti-spyware with system restore off.

Indeed. Also try the free version of SpywareBlaster. And as Clara Lou pointed out, SpyBot Search and destroy has an option to protect your home page.

Yuo can spend 25 or so for History Kill and it does great at a lot of things.

25 posted on 06/16/2004 10:53:33 AM PDT by Principled
[ Post Reply | Private Reply | To 4 | View Replies]

To: eleni121

No, I meant a total system restore to factory condition(if you have a cable conection it will go to the manufacturer website and update any new and better drivers). then go straight to window update for patches, 2nd install virus/firewalls, and then just reload everything else (ie java runtime, word, etc.)


26 posted on 06/16/2004 10:56:20 AM PDT by mlbford2 (Sorry for spelling errors, I'm a product of a state university)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Born Conservative

Went through the same thing with my wife's PC. We had it loaded with Norton AntiVirus, Ad-Aware, Spybot, et. all. Nothing worked. Many of these invasive lines of code hit your registry and make it next to impossible to remove without professional help. I ended up installing Windows XP Home Edition on her PC, formatting the entire hard drive to get a fresh start. Since then, it's been fine.

Someone else suggested getting your child his (her) own PC.. a good idea. Keep them off your unit! Good luck!


27 posted on 06/16/2004 10:56:31 AM PDT by Spottys Spurs
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative

bump for later


28 posted on 06/16/2004 10:57:20 AM PDT by Snardius
[ Post Reply | Private Reply | To 1 | View Replies]

To: COEXERJ145

bump for later read


29 posted on 06/16/2004 10:58:47 AM PDT by plain talk
[ Post Reply | Private Reply | To 20 | View Replies]

To: Born Conservative

I had my computer hijacked also.

HiJack This! saved my butt.

Please see
http://tomcoyote.com/hjt/

They have a forum there staffed with experts.
Post your HiJack This! output (they tell you how to do it) - and you might have to go back and forth about 3-4 times. Its important (apparently) that you take certain actions after running anti-spyware programs.

But they will tell you exactly what to do to fix your computer. If you have something new, they will know it. Good Luck.


30 posted on 06/16/2004 10:59:36 AM PDT by kidd
[ Post Reply | Private Reply | To 1 | View Replies]

To: Principled
"You can spend 25 or so for History Kill and it does great at a lot of things."

Im about ready to fork over a few bucks for a good program, the trial periods keep expiring.

31 posted on 06/16/2004 10:59:47 AM PDT by No Blue States
[ Post Reply | Private Reply | To 25 | View Replies]

To: Born Conservative

I'd recommend what others have: System Restore to an earlier point.


32 posted on 06/16/2004 10:59:54 AM PDT by FourtySeven (47)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mlbford2

OK I have heard of others doing full system restore. How do you handle the files accumulated? Do you have any neat tricks besides just moving them to disks?


33 posted on 06/16/2004 11:00:39 AM PDT by eleni121 (Mt. Rushmore welcomes the Gipper!)
[ Post Reply | Private Reply | To 26 | View Replies]

To: Born Conservative


I suspect you have the peper trojan.

http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml

or some varient. You can only kill it in safe made.

The instructions above aren't complete enough.

I've found recent investations that require you to remove the associated BHO using Hijack this, as well as removing the run entries either by editing the registry or using msconfig.

Then go into C:\windows\system32 (or whatever your system root is) and sort the files by date. Chances are you will find 6-8 files all recent dates with the hidden and system bits set.(which means you have to turn on show hidden files and folders in windows explorer options). These files will be randomly named and nonsensical.

So to recap, if you have this one.

1. Start in safe mode.
2. Make sure show hidden files and folders are ticked in folder options in the windows explorer (not to be confused with internet explorer)
3. Run Hijack this and delete all BHO's listed of unknown origin. Or just delete them all, you can always install stuff back.
4. Use msconfig or regedit to delete the run entries for anything oddball.

If you have peper or a varient, and you miss a step, it's right back again next time you reboot normally.

I've been seeing peper ALOT lately and this from people who don't surf anywhere odd. It comes in on a malicious script on a popup as far as I can tell. Once in, it drags in others. cydoor, gator, keenvalue, wintoolsA etc and worse.

-Mal


34 posted on 06/16/2004 11:01:10 AM PDT by Malsua
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative
You might want to go to www.lavasoft.com and download their Ad-aware 6 program. This is great for deleting bots.
35 posted on 06/16/2004 11:01:21 AM PDT by reagandemo
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative

Get a Mac - problem solved


36 posted on 06/16/2004 11:02:10 AM PDT by SengirV
[ Post Reply | Private Reply | To 1 | View Replies]

To: No Blue States

This happened to a co-workers machine and the techs said it was the Guardian virus.


37 posted on 06/16/2004 11:03:35 AM PDT by rintense (Screw justice. I want revenge.)
[ Post Reply | Private Reply | To 21 | View Replies]

To: mlbford2
The problem with your suggestion is that when little Tommy voluntarily downloads the spyware file nothing can be done by "immunization" feature on Spybot S&D or SpyBlaster.

Spyware Blaster prevents little Tommy from ever seeing the temptation to download spyware.

38 posted on 06/16/2004 11:04:21 AM PDT by js1138 (In a minute there is time, for decisions and revisions which a minute will reverse. J Forbes Kerry)
[ Post Reply | Private Reply | To 23 | View Replies]

To: Born Conservative
I hate it for you.

There really ought to be a law, I guess.

39 posted on 06/16/2004 11:05:07 AM PDT by Glenn (The two keys to character: 1) Learn how to keep a secret. 2) ...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Born Conservative

You've got FReepmail....


40 posted on 06/16/2004 11:05:37 AM PDT by b4its2late (Hillary, it is bad to suppress laughter; it goes back down and spreads to your hips.)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 101-106 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson