Windows File Protection Spyware

Discussion in 'adware, spyware & hijack cleaning' started by edtiley, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. edtiley

    edtiley Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    1
    Folks,

    I have seen this thread before here, but not yet seen it fully solved.

    A couple of weeks ago I went to a web site that was hosted on Tripod/Angelfire. The second the page opened up my search page in IE opened too, and search stuff got hijacked.

    The symptoms of whatever installed itself are:

    Periodically I get a window that has a title bar that reads Windows File Protection. The text of the message is always the same: "Windows File protection has detected that your computer has been infected with spyware" The list of "detected" spywares varies often it mentions WurldMedia, Gator, etc.

    Randomly while browsing I'll be redirected to easysearch.cc or Casino Palazzo or (unfortunately while trying to show a client something) porn sites.

    Probably during removal attempts, I've managed to make Paint Shop Pro disfunctional to the point where I can't use the type tool despite uninstalling and reinstalling the program.

    Other than that the puter seems to be acting fine.

    I have run HijackThis which resulted in the following log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:03:26 PM, on 7/12/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\system32\starter.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Trustix\Trustix Personal Firewall\TPFWall.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINNT\system32\taskmgn.exe
    D:\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINNT\system32\winnet.dll
    O2 - BHO: (no name) - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Trustix\Trustix Personal Firewall\PopUpKiller.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TPFWall] C:\Program Files\Trustix\Trustix Personal Firewall\TPFWall.exe
    O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: NeoTrace It! (HKCU)
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cslsp.dll' missing
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.sc5.yahoo.com/v43/yacscom.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.citylink.co.nz/webcam/AxisCamControl.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA2E9E5-691B-475F-9B32-60EB32674AFF}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5169DAF-4269-4B7A-95ED-E1C9FDCD2F88}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BACE1B5C-51E4-4D03-8A2A-0C55D8ED23AD}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0EA2E9E5-691B-475F-9B32-60EB32674AFF}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0EA2E9E5-691B-475F-9B32-60EB32674AFF}: NameServer = 205.231.144.10,205.231.144.20
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: NeoTrace It! (HKCU)
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\trustix\trustix personal firewall\netdog.dll
    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cslsp.dll' missing
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.sc5.yahoo.com/v43/yacscom.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.citylink.co.nz/webcam/AxisCamControl.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA2E9E5-691B-475F-9B32-60EB32674AFF}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5169DAF-4269-4B7A-95ED-E1C9FDCD2F88}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BACE1B5C-51E4-4D03-8A2A-0C55D8ED23AD}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0EA2E9E5-691B-475F-9B32-60EB32674AFF}: NameServer = 205.231.144.10,205.231.144.20
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0EA2E9E5-691B-475F-9B32-60EB32674AFF}: NameServer = 205.231.144.10,205.231.144.20

    **********

    S&D and AdAware both miss whatever has been installed. Trustix misses it too.

    Any thoughts?
     
Thread Status:
Not open for further replies.