[Solved] I've got spyware popup?!

I was hoping I might have got a pointer on what to do with my problems with this spyware changing my hompage to "Blank" and getting constant popups tellling me I've got spyware on my computer, when ITS the spyware is really soul destroying. when your confined to the house becaused your disabled and one of my enjoyments is the computer and surfing the web is getting destroyed. Ive tried the CWShredder and it says i've got the 'searchx' but as usual it comes back. I downloaded the spyguard but having to click all the boxes to keep everything from changing is worse than the popups. I also cannot seem to be able to install the spywareblaster I get same its either corrupt or on a bad hard disk sector. Could someone give my log the once over PLEASE

Logfile of HijackThis v1.97.7
Scan saved at 15:40:20, on 04/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\Documents and Settings\Darrell\My Documents\Downloads\Software Downloads\Programs\High Jack

This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

file://C:\DOCUME~1\Darrell\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C2E3BFC9-76D7-4F99-8F6E-84423916720E} - C:\WINDOWS\System32\dcdnac.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software

Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

 

Re: I've got spyware popup?!

"bump"

 

Re: I've got spyware popup?!

Hi Dazzer,

You have a variant of the CWS trojan that needs a special tool to remove the super hidden dll file.

Download FINDnFIX.exe (2K/XP only!) by freeatlast, from
~removed link to FindnFix as it is no longer available at that site - snap~

Double-Click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system (Do NOT change the fixed path.)

Open the FINDnFIX folder and double click on !LOG!.bat.
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FINDnFIX folder.

The program will take a few minutes to finish while it collects the necessary information, then it will create a Log.txt file.
Post the contents of the Log.txt in your next reply.

Regards,

snap

 

Re: I've got spyware popup?!

Hi Snapdragon

Well thankyou for helping but unfortunatly the link you provided says its a deleted or missing site and the direct download does not work either?

Is there anywhere else to get findnfix?

I hope this not just me and my computer thats the problem with the link. Once again thanks for any help you can give.

Dazzer

 

Re: I've got spyware popup?!

Hi Dazzer,

No, it isn't you. The site goes down but hopefully will come back up soon. Please try periodically to download the FINDnFIX.exe file if you can, then follow the instructions in my above post.

Regards,

snap

 

Re: I've got spyware popup?!

Hi Dazzer,

I've removed the link to the FINDnFIX tool as the Developer has pulled it and it's no longer available right now. If it will be in the future, I don't know.

The variant of CWS infection you have has a super hidden (invisible) dll which takes a special tool to reveal it and then remove it. I do not have such a tool available to me that I am comfortable with using so at the moment I can only offer these suggestions.

We can fix the lines in Hijackthis and then followup with cleaning using Adaware & Spybot Search & Destroy, along with CWShredder. I would also strongly suggest using another browser like Opera or Firefox and complete avoid using IE to limit further infection.

_________

Make sure you have the most recent version of CWShredder v.1.59.01.
Close ALL browsers and any open windows or programs before running CWShredder.
Unzip the program, double-click the CWShredder.exe to open it, then click the *Fix button (not the scan button) and follow the instructions you will receive when the program runs. Reboot if prompted.

Make sure you are using the most recent version of Ad-Aware6 build 6.181, and that you have brought it up-todate by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file. Do a scan and fix what it finds. Reboot when finished.

Download the most recent version of Spybot Search&Destroy v1.3, install, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

Download the latest version of Hijackthis 1.98.0-hotfix.
Create a permanent folder on your C: drive (example: C:\HJT\ ) and unzip the HijackThis.exe into the permanent folder. HijackThis must run from it's own folder and not the Desktop or Temp folders. It creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

Post a new log here in this thread so we can clean up what's left over for now.

Regards,

snap

 

Re: I've got spyware popup?!

Hi Snapdragon

I have done everything you asked me to do and have posted my HJT log. I do not know why do give your time to do this but may I say that I am extremely grateful that you and others like yourself are so helpful to us not so well up on computer nightmares.

Thanks Dazzer

Logfile of HijackThis v1.98.0
Scan saved at 19:39:48, on 13/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\HighJackThis\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://www.wilderssecurity.com/forumdisplay.php?f=26
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yah

oo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yah

oo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0

\printray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround

Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program

Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NAV Agent]

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal

Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program

Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft

Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk =

C:\RECYCLER\NPROTECT\00117753.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program

Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld

NetHelp\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: BT Yahoo! Sidebar -

{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -

{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

Files\Yahoo!\browser\ysidebarIE.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/x

scan53.cab

 

Re: I've got spyware popup?!

Hi Dazzer, thank you for the kinds words, but I wish we could do more.

Your log doesn't look too bad actually. Just a few things to clean up.

In HijackThis, place a check beside the following items.
Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...//uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/...//uk.search.yahoo.com/

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

(The following items in blue are optional to fix and not needed to startup with your computer, but will save you some resources if you do fix them)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
Reminder to register Creative Labs SoundBlaster Live! cards

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Installed with the software for Logitech products. Automatically checks for software upgrades AND new products, services and special offerings from Logitech. Also listed under Logitech Desktop Messenger


Uninstall both SpyKiller and SpywareBeGone. See here for more information about them: Rogue/Suspect Anti-Spyware Products
And here: Bogus anti-spyware

You have the best with AdAware and Spybot Search&Destroy, and they are both free with full support forums.

Reboot your computer.

You can also try these two removal tools. Some have had luck with them.

Scroll down and click on the "Download" link to download the sphjfix.exe tool:
http://www.rokop-security.de/main/article.php?sid=746

And you can try this one too:
Kaspersky's clrav.com removal tool (click on any of the links there and it will take you to the clrav tool)
http://www.kaspersky.com/removaltools

There is a great deal of valuable information in the forum posted by many experienced Members. So stay awhile with us, read a little, share a bit, and everyone benefits. Here is some reading to start with that will also help tighten your security: Why did I get infected in the first place?

Let me know how it goes,

Regards,

snap

 

Re: I've got spyware popup?!

Hi Snapdragon

Followed what you listed to the letter. If one of the corrections has reappeared to do with "yahoo" it may be the other browser I got when I upgraded to broadband as part of the software that came with it. I'm not sure if it is a totally independant browser of its own or uses mircosoft's IE in some part. However I can use either or but only have the problems when using the IE browser, so fingers crossed it stays that way. By the way I had uninstalled the two programmes you listed already.

I have posted another HJT log

Thankyou Dazzer

Logfile of HijackThis v1.98.0
Scan saved at 11:49:59, on 14/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\HighJackThis\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://www.wilderssecurity.com/forumdisplay.php?f=26
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yah

oo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0

\printray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround

Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program

Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NAV Agent]

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal

Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program

Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [KL AntiFunLove] C:\WINDOWS\System32\flcss.exe /scan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft

Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk =

C:\RECYCLER\NPROTECT\00117753.EXE
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld

NetHelp\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: BT Yahoo! Sidebar -

{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -

{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

Files\Yahoo!\browser\ysidebarIE.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/x

scan53.cab

 

Re: I've got spyware popup?!

Hi Dazzer,

This entry here has me worried, but if your Norton's is up-to-date, I'm not sure why it didn't catch it?
O4 - HKLM\..\Run: [KL AntiFunLove] C:\WINDOWS\System32\flcss.exe /scan

The file "flcss.exe" in the System32 folder is an indication of an old virus called FunLove:
Panda Antivirus: W32/FunLove.4099
Symantec Antivirus: W32.Funlove.4099

Fix these two lines in Hijackthis.
Close all browsers (except Hijackthis) and place a check beside the following, and click *Fixed checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...//uk.search.yahoo.com/

O4 - HKLM\..\Run: [KL AntiFunLove] C:\WINDOWS\System32\flcss.exe /scan

Then go to Panda Antivirus and do a FULL system scan. Let it fix/delete what it fines:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

You can also try the removal tool by Symantec Antivirus:
Windows NT users DOS FunLove.4099 Fix Tool
(scroll down to where it describes how to use the FixFun.exe with Windows NT/2000 using NTFS)

Make sure your Norton's is up-todate and functioning properly, and scan with it while in Safe Mode

I'm not sure if the browser you are using uses any part of IE, but you may still want to consider looking into using an alternative browser which is completely separate from IE. Quite a few Members here use Opera and also Firefox, so you could ask in the Software & Services forum for ideas on which one would work best for you.

When finished with the above scans, please post a new log so we can see if anything else pops up that shouldn't.

Regards,

snap

 

Re: I've got spyware popup?!

Hello Snapdragon

I have a confession to make. It was me that got the funlove virius thing installed, it was when I went to the Kaspersky.com looking for the clrav.com removal tool got a bit lost and must of clicked on this download but it was a removal tool aimed solely at the Funlove virus. I had meant to uninstall it before the hjt log but forgot sorry I gave you a bit of a wild goose chase with that one but I have uninstalled it now, and its not on the hjt log. I have done the fix and also the Panda scan it came up and posted the new log, i will take a look at the forum and browsers you mentioned.

Once again sorry, and thankyou.

Dazzer

Logfile of HijackThis v1.98.0
Scan saved at 11:25:43, on 15/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HighJackThis\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://www.wilderssecurity.com/forumdisplay.php?f=26
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.e

xe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround

Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program

Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak

EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk =

C:\RECYCLER\NPROTECT\00117753.EXE
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -

C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} -

C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -

{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program

Files\Yahoo!\browser\ysidebarIE.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.ca

b
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client

v.3.4) - http://ccon.futuremark.com/global/msc34.cab

 

Re: I've got spyware popup?!

Ahh...I wondered when I saw this part [KL AntiFunLove], but better safe than sorry.

Your log looks clean, Dazzer, and an alternative browser is the way to go right now.

Good work!

Regards,

snap