Posted on 06/16/2004 10:42:22 AM PDT by Born Conservative
Please excuse the vanity (this is my first vanity post). I am having a problem with spyware. It started when my 11 year old son installed a "really cool" screensaver on the computer (running XP Home) from "screensaver.com". As soon as he told me he did that, I knew that I was up the creek without a paddle. So, I ran Spybot, and then Ad Aware, and "fixed" my Spyware problems. Right. Needless to say, my computer is still infested.
I then did some searching on the web,and downloaded Hijack This, since my browser was hijacked to a different home page (msn.com). Since I wasn't sure which programs were spyware, and which were not, I haven't "fixed" them with Hijack This yet. I also downloaded Aluria's free spyware scanner, and it shows 17 spyware files. The files include Wild Tangent, IWon, Cydoor, 2020Search, Comet Cursor, WhenUSave, and MyWay Speedbar. I did re-run the SpyBot and AdAware, as well as CWShredder (run in Safe Mode), but the spyware persists. I am also up to date on all Windows updates. Any help would be appreciated. I do have a log file from the Hijack This if that would help.
Get your son his own computer, then when he's "stuck" by his "really cool" junk he will learn ............
I had a similar problem a few weeks ago, and I ended up re-installing some components of Windows 2000. There's a great website I came across where you can post your registry file directory, and someone will provide advice on how to deal with your problem.
Try running your anti-spyware with system restore off.
Are you sure that you have the latest version of SpyBot? Also, SpyBot has a spot where you can set it so that your homepage can no longer be hijacked.
btttttt
btttttt
I am going through the same crap right now. Post your log file.
CWShredder usually works for my friends. Havn't used it myself. I just did a clean wipe on my OS system yesterday. Just took me 2hrs. I do this once a year. If you havn't done it in a while you might consider this.
I can't help much, but I can tell you that if you get rid of those files you listed, it will help. Also, did you make sure that you had the most recent version of Adaware? Don't forget to run your virus scanner program, too.
There's a program called Spyware Blaster. It prevents spyware from being installed on your PC in the first place. Get it going, then try another spyware scan. If the spyware scanners get rid of the spyware, Spyware Blaster should prevent them from coming back.
Spybot has a feature like this, called Inoculation, but it's not as extensive as Spyware Blaster's. It's definitely worth using, however.
It could be one of those "Messenger ads", which are really annoying because they don't appear as spyware. Try this advisory:
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspamv45.mspx
Post the results of Hijack This! here so we can see it.
Sounds like you need to do system restore to a prior point. Many times the spyware programs are the worst. I'd get a good anti-virus program (Norton, Trendmicro, etc) and download the recent patches from microsoft. In the end once everything is stripped it often gets into the registry and you may have to restore your whole system to a known safe earlier date. Some people have to wipe the whole system clean and startup disc from the beginning.
Sometimes the cure is worse than the fix with spyware.
Good idea; I didn't think of that (although I did run in Safe Mode; not sure if System Restore is on during Safe Mode).
"...clean wipe on OS..."
Clean wipe means defrag right? no?
Oops-- I have both SpyBot and Spyware Blaster. It's Spyware Blaster that has the ability for you to lock your homepage setting so that it can't be hijacked.
By the way, I found this morning that my Internet Explorer homepage had been hijacked to MSN. I can't figure out how it happened-- and I didn't have it protected from hijack, either. It is now, though.
I downloaded the latest SpyBot (I think it's 1.3; I'm not at my home computer now).
I would also run a full virus scan and make sure your anti-virus program is up to date as well.
Same problem here, Bump for solutions.
Try running AdAware with the "Deep Scan" option activated (or something like that). It takes alot longer because it goes through 120,000+ files instead of 35,000 or so, but I do this every couple of weeks and I haven't had a problem since my last disaster in early May.
The problem with your suggestion is that when little Tommy voluntarily downloads the spyware file nothing can be done by "immunization" feature on Spybot S&D or SpyBlaster.
Log File:
Logfile of HijackThis v1.97.7
Scan saved at 6:26:02 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ClipCache\clipc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PORTMA~1.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PORTMA~1.EXE" -Run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E-&mail Page - C:\WINDOWS\Web\Mailto_URL.HTM
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/php/globals/tif_viewer/activex/viewdw32.ocx
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.8200578704
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/blasterball2Remix/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
Indeed. Also try the free version of SpywareBlaster. And as Clara Lou pointed out, SpyBot Search and destroy has an option to protect your home page.
Yuo can spend 25 or so for History Kill and it does great at a lot of things.
No, I meant a total system restore to factory condition(if you have a cable conection it will go to the manufacturer website and update any new and better drivers). then go straight to window update for patches, 2nd install virus/firewalls, and then just reload everything else (ie java runtime, word, etc.)
Went through the same thing with my wife's PC. We had it loaded with Norton AntiVirus, Ad-Aware, Spybot, et. all. Nothing worked. Many of these invasive lines of code hit your registry and make it next to impossible to remove without professional help. I ended up installing Windows XP Home Edition on her PC, formatting the entire hard drive to get a fresh start. Since then, it's been fine.
Someone else suggested getting your child his (her) own PC.. a good idea. Keep them off your unit! Good luck!
bump for later
bump for later read
I had my computer hijacked also.
HiJack This! saved my butt.
Please see
http://tomcoyote.com/hjt/
They have a forum there staffed with experts.
Post your HiJack This! output (they tell you how to do it) - and you might have to go back and forth about 3-4 times. Its important (apparently) that you take certain actions after running anti-spyware programs.
But they will tell you exactly what to do to fix your computer. If you have something new, they will know it. Good Luck.
Im about ready to fork over a few bucks for a good program, the trial periods keep expiring.
I'd recommend what others have: System Restore to an earlier point.
OK I have heard of others doing full system restore. How do you handle the files accumulated? Do you have any neat tricks besides just moving them to disks?
I suspect you have the peper trojan.
http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml
or some varient. You can only kill it in safe made.
The instructions above aren't complete enough.
I've found recent investations that require you to remove the associated BHO using Hijack this, as well as removing the run entries either by editing the registry or using msconfig.
Then go into C:\windows\system32 (or whatever your system root is) and sort the files by date. Chances are you will find 6-8 files all recent dates with the hidden and system bits set.(which means you have to turn on show hidden files and folders in windows explorer options). These files will be randomly named and nonsensical.
So to recap, if you have this one.
1. Start in safe mode.
2. Make sure show hidden files and folders are ticked in folder options in the windows explorer (not to be confused with internet explorer)
3. Run Hijack this and delete all BHO's listed of unknown origin. Or just delete them all, you can always install stuff back.
4. Use msconfig or regedit to delete the run entries for anything oddball.
If you have peper or a varient, and you miss a step, it's right back again next time you reboot normally.
I've been seeing peper ALOT lately and this from people who don't surf anywhere odd. It comes in on a malicious script on a popup as far as I can tell. Once in, it drags in others. cydoor, gator, keenvalue, wintoolsA etc and worse.
-Mal
Get a Mac - problem solved
This happened to a co-workers machine and the techs said it was the Guardian virus.
Spyware Blaster prevents little Tommy from ever seeing the temptation to download spyware.
There really ought to be a law, I guess.
You've got FReepmail....
Its pretty simple. Make a master Folder on your desktop and just drag everything into that and dump it on your disk (F drive). Diskette won't work well (it will, but it might take a few hundred of them). Then go to your email program and make sure nothing will be missed because that will be wiped clean. Next check any of your setting that you made in Start/Run (msconfig)/startup. After all that just do a full system resore from D drive of disc.
Set up Ad-aware like this - before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:
General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."
Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".
Reboot when done.
b
If the homepage of IE was changed, go into Control Panel/Internet Options and change the default home page to blank.
Spy Bot may also zap some registry files that might screw up your internet connection, so be ready to do a restore if that happens. Then pick and chose what to zap on each run until you can tweak it out...
I ran into a problem using Lavasoft’s Ad-aware, it hijacked my browser to MSN.com. It took me a long time to figure out what was happening. Lavasoft says coming versions of Ad-aware won’t do this.
If your home page is set to “about blank“ you might run into the same problem I had.
It seems that some hacker is using “about blank” as a way to get around spyware removal programs. So when you run Lavasoft’s Ad-aware it shows a “possible browser hijack” when you have set your home page as “about blank”. If you allow Ad-aware to fix this, it resets your browser to the Windows default of MSN.com.
If this is the problem you are having, instead of allowing Ad-aware to fix the problem, select the “possible browser hijack” and mark it to be ignored.
If you are worried that your system is infected, first run Ad-aware with your home page set to MSN.com, if it runs clean, then change your home page to “about blank” and run Ad-aware again, then mark the “possible browser hijack” to ignore.
Upon looking at your hijackthis log, it looks clean enough to me. You're running some stuff I wouldn't but none of it appears to be spyware.
One has to wonder how many of these are created by the people selling the fix..
A Spy Bot file restore, not a complete computer hard drive restore, that is......
of=or
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.