Reoccuring problem??

Discussion in 'adware, spyware & hijack cleaning' started by Ja-ZAamM, May 21, 2004.

Thread Status:
Not open for further replies.
  1. Ja-ZAamM

    Ja-ZAamM Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello,

    There are a couple questions that I have concerning SpywearBlaster.
    Being a newbie these questions may seem stupid. Sorry.

    In the area of Restricted Sites, one site keeps on enabling itself even though I repeatedly enabled that site in the restricted list.

    XXXToolbar.com is one site that has the ability to unable itself. o_O

    The other question is to do with the adware that I detected through PestPatrol.

    CWS.GoogleMS.3

    Its located in: In Registry: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\intenet settings\zonemap\domains\xxxtoolbar.com

    Obviously they're related but how do I get rid of this pest?? Any help would be much appreciated.

    Oh, by the way, SpywearBlaster and SpywearGuard ROCKS!!!! :D
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
  3. Ja-ZAamM

    Ja-ZAamM Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello Unzy,

    Thank you for your reply. Currently I'm using AdAware 6 Pro, Webroot Spy Sweeper and Pest Patrol Corporate for detection and removal of Spywear. I also use SpywareGuard and SpywareBlaster. For Popups I use PopUpCop, AdsGone 2004, AdsOff and EMS Free Surfer Companion. I have Microsoft's XP Firewall on and I use McAfee's firewall and AntiVirus softwear.

    I hope this helps.... But as you can see, XXXToolbar is not here.... it self activates.... Somehow it unchecks itself in SpywareBlaster.... How is this possible?? Thank you for your help.... :doubt:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:31:48 AM, on 21/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\The Claw\TheClaw.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\G-VGA.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\LIUtilities\WinTasks\wintasks.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\AdsOff2\adsoff.exe
    C:\Program Files\wbiff!\wbiff.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\3M\PSNotes2\psn.exe
    C:\Program Files\AdsGone\adsgone.exe
    C:\Program Files\Always On Time\AOTime.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\EMS Free Surfer Companion\fs30.exe
    C:\My Downloads\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.shaw.ca/
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://start.shaw.ca/start/enca/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\o5vjc3pg.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\o5vjc3pg.slt\prefs.js)
    O1 - Hosts: 64.12.152.18 search.netscape.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg0118.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TheClaw] C:\Program Files\The Claw\TheClaw.exe
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
    O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program Files\LIUtilities\WinTasks\wintasks.exe traybar
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg0118.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdsOff] "C:\Program Files\AdsOff2\adsoff.exe" -startup
    O4 - HKLM\..\Run: [AdsOff Startup] "C:\Program Files\AdsOff2\reset.exe"
    O4 - HKCU\..\Run: [wbiff_autoload] C:\Program Files\wbiff!\wbiff.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [AntiPopUp] C:\Program Files\AntiPopUp\AntiPopUp.exe
    O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
    O4 - Startup: Always On Time Tray Icon.lnk = C:\Program Files\Always On Time\AOTime.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
    O4 - Global Startup: Personal Coach.lnk = ?
    O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\psn.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
    O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra button: Natural Reader (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'ao2lsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ConferenceRoom Java Client - http://irc.hossohbet.com/cr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1859307ee820c99a1418/netzip/RdxIE601.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Owner\Local Settings\Temp\EI40_\msxml4.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.4751967593
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3E33EA6-92BF-444E-9DF3-E7F879F2006F} (TSRFileManagerXControl Control) - http://sims1.thesimsresource.com/TSRFileManagerControl.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/download.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    What version of Spywareblaster are you using?

    Cheers,
     
  5. Ja-ZAamM

    Ja-ZAamM Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello Unzi,

    I'm using SpyBlaster 3.1...
    XXXToolbar is a real pest. It self-enables itself in SpyBlaster. o_O

    AdAware isn't thorough either. :mad: Even with all the protection I have, a tracking cookie: owner@counter.superstats[1].txt was detected by AdAware that got through.

    PestPatrol found the AdAware: XXXToolbar.com and two other spyware cookies that slipped by AdAware: owner@indextools[1].txt and owner@clickability[1].txt

    SpySweeper was the most thorough of them all. :rolleyes: It found Wowsearch Hijacker, AD Roings Search Enhancement and CoolWWW which had 18 traces found in various locations. What is nice about SpySweeper as well is that it also give the CLSID's of the spywear so I can enter them into SpywareBlaster.

    AdsGone is another program that I have running and is supposed to block spyware as well but it is not to be trusted at all. :mad:

    Its interesting how different programs find different spyware. I found that AdAware was the poorest software out of the ones that I have, but, it was able to detect one spyware cookie that the others missed. PestPatrol is a good program and when running would have stopped and removed the adware cookies that it found. (I disabled PestPatrol to see if SpywareBlaster would stop these cookies)

    The point I'm making here is that no single software program is reliable to stop or detect all spyware. This is frustrating to say the least. I wish that SpywareBlaster and SpywareGuard was more comprehensive. :'(
     
  6. Ja-ZAamM

    Ja-ZAamM Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello,

    I removed any reference to XXX in my registry, but after a reboot, I launch IE and voila, there is XXXToolbar.com disabled in SpywareBlaster... what a pain... :mad:
     
  7. Ja-ZAamM

    Ja-ZAamM Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello,

    I did some research on the internet and found that PestPatrol sometimes produces false negatives in their program which could be frustrating to say the least. :doubt: The thing is, so many hijackers and malicious spyware enter into computers through Microsoft's Java Virtual Machine (JVM) which is no longer supported by Microsoft. (figures) :mad:

    I found a site that helps people with Windows XP on removal of Microsoft's JVM, and to install Sun's JVM which is more stable. :rolleyes:

    http://www.winnetmag.com/Windows/Article/ArticleID/38206/Windows_38206.html

    Can you please tell me if this could be the answer to SO many problems with hijackers and other common spyware that infect so many XP users?? o_O

    Thank you.... :D
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.