[Solved] I've got spyware popup?!

Discussion in 'adware, spyware & hijack cleaning' started by Dazzer, Jul 4, 2004.

Thread Status:
Not open for further replies.
  1. Dazzer

    Dazzer Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    I was hoping I might have got a pointer on what to do with my problems with this spyware changing my hompage to "Blank" and getting constant popups tellling me I've got spyware on my computer, when ITS the spyware is really soul destroying. when your confined to the house becaused your disabled and one of my enjoyments is the computer and surfing the web is getting destroyed. Ive tried the CWShredder and it says i've got the 'searchx' but as usual it comes back. I downloaded the spyguard but having to click all the boxes to keep everything from changing is worse than the popups. I also cannot seem to be able to install the spywareblaster I get same its either corrupt or on a bad hard disk sector. Could someone give my log the once over PLEASE :'(

    Logfile of HijackThis v1.97.7
    Scan saved at 15:40:20, on 04/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
    C:\Documents and Settings\Darrell\My Documents\Downloads\Software Downloads\Programs\High Jack

    This\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

    file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

    Destroy\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C2E3BFC9-76D7-4F99-8F6E-84423916720E} - C:\WINDOWS\System32\dcdnac.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray]

    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

    software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software

    Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

    Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
    O9 - Extra button: BT Yahoo! Sidebar (HKLM)
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
     
    Last edited: Jul 7, 2004
  2. Dazzer

    Dazzer Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Re: I've got spyware popup?!

    "bump"
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: I've got spyware popup?!

    Hi Dazzer,

    You have a variant of the CWS trojan that needs a special tool to remove the super hidden dll file.

    Download FINDnFIX.exe (2K/XP only!) by freeatlast, from
    ~removed link to FindnFix as it is no longer available at that site - snap~

    Double-Click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system (Do NOT change the fixed path.)

    Open the FINDnFIX folder and double click on !LOG!.bat.
    IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FINDnFIX folder.

    The program will take a few minutes to finish while it collects the necessary information, then it will create a Log.txt file.
    Post the contents of the Log.txt in your next reply.

    Regards,

    snap
     
    Last edited: Jul 13, 2004
  4. Dazzer

    Dazzer Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Re: I've got spyware popup?!

    Hi Snapdragon

    Well thankyou for helping but unfortunatly the link you provided says its a deleted or missing site and the direct download does not work either?

    Is there anywhere else to get findnfix?

    I hope this not just me and my computer thats the problem with the link. Once again thanks for any help you can give.

    Dazzer
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: I've got spyware popup?!

    Hi Dazzer,

    No, it isn't you. The site goes down but hopefully will come back up soon. Please try periodically to download the FINDnFIX.exe file if you can, then follow the instructions in my above post.

    Regards,

    snap
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: I've got spyware popup?!

    Hi Dazzer,

    I've removed the link to the FINDnFIX tool as the Developer has pulled it and it's no longer available right now. If it will be in the future, I don't know.

    The variant of CWS infection you have has a super hidden (invisible) dll which takes a special tool to reveal it and then remove it. I do not have such a tool available to me that I am comfortable with using so at the moment I can only offer these suggestions.

    We can fix the lines in Hijackthis and then followup with cleaning using Adaware & Spybot Search & Destroy, along with CWShredder. I would also strongly suggest using another browser like Opera or Firefox and complete avoid using IE to limit further infection.

    _________

    Make sure you have the most recent version of CWShredder v.1.59.01.
    Close ALL browsers and any open windows or programs before running CWShredder.
    Unzip the program, double-click the CWShredder.exe to open it, then click the *Fix button (not the scan button) and follow the instructions you will receive when the program runs. Reboot if prompted.

    Make sure you are using the most recent version of Ad-Aware6 build 6.181, and that you have brought it up-todate by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file. Do a scan and fix what it finds. Reboot when finished.

    Download the most recent version of Spybot Search&Destroy v1.3, install, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

    Download the latest version of Hijackthis 1.98.0-hotfix.
    Create a permanent folder on your C: drive (example: C:\HJT\ ) and unzip the HijackThis.exe into the permanent folder. HijackThis must run from it's own folder and not the Desktop or Temp folders. It creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

    Post a new log here in this thread so we can clean up what's left over for now.

    Regards,

    snap
     
  7. Dazzer

    Dazzer Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Re: I've got spyware popup?!

    Hi Snapdragon

    I have done everything you asked me to do and have posted my HJT log. I do not know why do give your time to do this but may I say that I am extremely grateful that you and others like yourself are so helpful to us not so well up on computer nightmares.

    Thanks Dazzer

    Logfile of HijackThis v1.98.0
    Scan saved at 19:39:48, on 13/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Logitech\Desktop

    Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
    C:\HighJackThis\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    https://www.wilderssecurity.com/forumdisplay.php?f=26
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yah

    oo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yah

    oo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = localhost
    O2 - BHO: Yahoo! Companion BHO -

    {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O2 - BHO: AcroIEHlprObj Class -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection -

    {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

    Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class -

    {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

    5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray]

    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0

    \printray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

    Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

    Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC]

    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround

    Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program

    Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [NAV Agent]

    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal

    Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

    Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program

    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

    /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

    Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft

    Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

    Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk =

    C:\RECYCLER\NPROTECT\00117753.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program

    Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld

    NetHelp\bin\matcli.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: BT Yahoo! Sidebar -

    {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

    Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -

    {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

    Files\Yahoo!\browser\ysidebarIE.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

    Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/x

    scan53.cab
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: I've got spyware popup?!

    Hi Dazzer, thank you for the kinds words, but I wish we could do more.

    Your log doesn't look too bad actually. :) Just a few things to clean up.

    In HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...//uk.search.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/...//uk.search.yahoo.com/

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

    (The following items in blue are optional to fix and not needed to startup with your computer, but will save you some resources if you do fix them)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    Reminder to register Creative Labs SoundBlaster Live! cards

    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

    Installed with the software for Logitech products. Automatically checks for software upgrades AND new products, services and special offerings from Logitech. Also listed under Logitech Desktop Messenger


    Uninstall both SpyKiller and SpywareBeGone. See here for more information about them: Rogue/Suspect Anti-Spyware Products
    And here: Bogus anti-spyware

    You have the best with AdAware and Spybot Search&Destroy, and they are both free with full support forums.

    Reboot your computer.

    You can also try these two removal tools. Some have had luck with them.

    Scroll down and click on the "Download" link to download the sphjfix.exe tool:
    http://www.rokop-security.de/main/article.php?sid=746

    And you can try this one too:
    Kaspersky's clrav.com removal tool (click on any of the links there and it will take you to the clrav tool)
    http://www.kaspersky.com/removaltools

    There is a great deal of valuable information in the forum posted by many experienced Members. So stay awhile with us, read a little, share a bit, and everyone benefits. Here is some reading to start with that will also help tighten your security: Why did I get infected in the first place?

    Let me know how it goes,

    Regards,

    snap
     
    Last edited: Jul 13, 2004
  9. Dazzer

    Dazzer Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Re: I've got spyware popup?!

    Hi Snapdragon

    Followed what you listed to the letter. If one of the corrections has reappeared to do with "yahoo" it may be the other browser I got when I upgraded to broadband as part of the software that came with it. I'm not sure if it is a totally independant browser of its own or uses mircosoft's IE in some part. However I can use either or but only have the problems when using the IE browser, so fingers crossed it stays that way. By the way I had uninstalled the two programmes you listed already. :)

    I have posted another HJT log

    Thankyou Dazzer

    Logfile of HijackThis v1.98.0
    Scan saved at 11:49:59, on 14/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Logitech\Desktop

    Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
    C:\HighJackThis\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    https://www.wilderssecurity.com/forumdisplay.php?f=26
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yah

    oo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = localhost
    O2 - BHO: Yahoo! Companion BHO -

    {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O2 - BHO: AcroIEHlprObj Class -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection -

    {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

    Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

    C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class -

    {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

    5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray]

    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0

    \printray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

    Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

    Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC]

    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround

    Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program

    Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [NAV Agent]

    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal

    Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

    Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program

    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKLM\..\Run: [KL AntiFunLove] C:\WINDOWS\System32\flcss.exe /scan
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

    /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

    Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft

    Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

    Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk =

    C:\RECYCLER\NPROTECT\00117753.EXE
    O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld

    NetHelp\bin\matcli.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: BT Yahoo! Sidebar -

    {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

    Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -

    {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

    Files\Yahoo!\browser\ysidebarIE.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

    Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/x

    scan53.cab
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: I've got spyware popup?!

    Hi Dazzer,

    This entry here has me worried, but if your Norton's is up-to-date, I'm not sure why it didn't catch it?
    O4 - HKLM\..\Run: [KL AntiFunLove] C:\WINDOWS\System32\flcss.exe /scan

    The file "flcss.exe" in the System32 folder is an indication of an old virus called FunLove:
    Panda Antivirus: W32/FunLove.4099
    Symantec Antivirus: W32.Funlove.4099

    Fix these two lines in Hijackthis.
    Close all browsers (except Hijackthis) and place a check beside the following, and click *Fixed checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...//uk.search.yahoo.com/

    O4 - HKLM\..\Run: [KL AntiFunLove] C:\WINDOWS\System32\flcss.exe /scan


    Then go to Panda Antivirus and do a FULL system scan. Let it fix/delete what it fines:
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    You can also try the removal tool by Symantec Antivirus:
    Windows NT users DOS FunLove.4099 Fix Tool
    (scroll down to where it describes how to use the FixFun.exe with Windows NT/2000 using NTFS)

    Make sure your Norton's is up-todate and functioning properly, and scan with it while in Safe Mode

    I'm not sure if the browser you are using uses any part of IE, but you may still want to consider looking into using an alternative browser which is completely separate from IE. Quite a few Members here use Opera and also Firefox, so you could ask in the Software & Services forum for ideas on which one would work best for you.

    When finished with the above scans, please post a new log so we can see if anything else pops up that shouldn't.

    Regards,

    snap
     
  11. Dazzer

    Dazzer Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Re: I've got spyware popup?!

    Hello Snapdragon

    I have a confession to make. It was me that got the funlove virius thing installed, it was when I went to the Kaspersky.com looking for the clrav.com removal tool got a bit lost and must of clicked on this download but it was a removal tool aimed solely at the Funlove virus. I had meant to uninstall it before the hjt log but forgot :oops: sorry I gave you a bit of a wild goose chase with that one but I have uninstalled it now, and its not on the hjt log. I have done the fix and also the Panda scan it came up and posted the new log, i will take a look at the forum and browsers you mentioned.

    Once again sorry, and thankyou.

    Dazzer

    Logfile of HijackThis v1.98.0
    Scan saved at 11:25:43, on 15/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\HighJackThis\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    https://www.wilderssecurity.com/forumdisplay.php?f=26
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

    C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection -

    {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

    Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

    Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -

    C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

    5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray]

    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.e

    xe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC]

    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround

    Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program

    Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

    Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch

    USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

    Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works

    Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak

    EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk =

    C:\RECYCLER\NPROTECT\00117753.EXE
    O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} -

    C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -

    {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

    Files\Yahoo!\browser\ysidebarIE.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.ca

    b
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client

    v.3.4) - http://ccon.futuremark.com/global/msc34.cab
     
    Last edited: Jul 15, 2004
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: I've got spyware popup?!

    Ahh...I wondered when I saw this part [KL AntiFunLove], but better safe than sorry. :D

    Your log looks clean, Dazzer, and an alternative browser is the way to go right now.

    Good work!

    Regards,

    snap
     
Thread Status:
Not open for further replies.