spyware infection -any ideas please?

Discussion in 'adware, spyware & hijack cleaning' started by edgy_reggie, May 21, 2004.

Thread Status:
Not open for further replies.
  1. edgy_reggie

    edgy_reggie Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Since my google searches began to be 'interfered with' by the likes of Defender.veloz, I followed advice elsewhere in this forum to download CWS & Hijackthis. After deleting all of the obvious problems, the google problem remains. I will post the results of my latest hijackthis scan, in the hope that one of you IT angels can suggest a solution.
    Thanks in advance for any advice.
     

    Attached Files:

  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
  3. edgy_reggie

    edgy_reggie Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Thanks for looking, Nick. I will paste the log below. Additional info, I am using an old IBM Aptiva, Win98, with Zone Alarm and Spybot, but no anti-virus (I use Housecall once a week). I am unable to create back-ups, as my floppy is disabled, and I have no CD rewriter. Please consider me a computer dunce, and give any advice in basic terms! I have suspicions that items in the registry have been changed (scanregw.exe/autorun), and have previously been infected with Coolwebsearch.

    Logfile of HijackThis v1.97.7
    Scan saved at 03:02:10, on 22/05/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btopenworld.com/togetherinternet
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\CCHELPER.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PRO\POPUPPRO.DLL
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background
    O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
    O4 - User Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38106.3790277778
     
  4. edgy_reggie

    edgy_reggie Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Although CWS tells me my computer is clear of CoolWebSearch, I'm very suspicious of the control.exe file revealed in the CWS scan below. I would welcome any imput, as this 'google hijack' thing is driving me crazy. Thanks.

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows 98 (4.10.1998 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: christian gould

    Found Hosts file: C:\WINDOWS\hosts (132 bytes, R)
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (10217 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2279 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
  5. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Check the boxes next to all these, close all other windows, then click Fix Checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank


    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll


    After that, Reboot.

    You really need an antivirus running resident, some viruses won't give you a chance to do an online scan before wrecking your system

    http://www.grisoft.com/us/us_dwnl_free.php

    AVG is free and no nags in your email.
     
  6. edgy_reggie

    edgy_reggie Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    That seems to have done the trick, Nick. Thank you very much for your help. I take your point about the anti-virus; I bought NORTON ANTIVIRUS 2004, but have read some horror stories from users who claim that it totally crippled their computers to the point of requiring a reformat, and as a result, I've been reluctant to install.
    I'll look into AVG. Again, thank you very much for your advice; you're a star!
     
  7. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Thanks for the praise, I would install one of the antivirus programs for sure. Just don't have more than one running resident (running in the background) or there could be problems.

    That's just one area of security, for Spyware and Adware, consider these items:

    Protection - download and install:

    SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

    IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

    Both are very small free programs that you run once, and then just occasionally run to check for updates.

    And also see
    So how did I get infected in the first place?
     
Thread Status:
Not open for further replies.