Spyware

[Walliver 0]

Hello,

 

I'm having annoying problems with my computer at the moment. I've got some sort of spyware/adware programme and I have no idea how to get rid of it. I noticed I was getting lots of pop ups that I don't normally and got rid of most of the problems using Spybot. There was one on there that it couldn't fix and after lots of messing around I finally got rid of the final one. However, even with Spybot telling me my computer is fine, I'm still getting loads of annoying pop ups. I've checked through my Windows Task Manager processes and applications and have found nothing there that shouldn't be there. I'm currently re-running Ewido because he keeps finding loads of problems without really fixing them, which it says it does.

 

I know it's not just Web sites with annoying ads because even when I don't have a browser open, I get them. I doesn't matter if I'm using Firefox or IE.

 

As well as Spybot and Ewido, I've run CCleaner, deleted my cookies, cleared my history and upgraded to the latest Firefox but I'm still getting them.

 

I'm still searching for anything I can think of but does anyone on here have an idea what might be wrong ? It's doing my head in.

[Lazarus 0]

firsty - run a FULL system virus check. that means all your hard drives and every single file.

 

secondly - download and run hijack this

 

thirdy - are the popups directing you to a particular site?

 

fourthy - backup your data.

Edited May 13, 2006 by Lazarus

[Walliver 0]

The pop ups seem to be a mixture of Jamster, a weather icon for my toolbar and one other that I can't remember right now (I'll update you in a few minutes when it comes back) and then a few random ones every now and then.

 

I've seen quite a few Hijack This logs posted on other forums and didn't have a clue what was happening with them. Will it become obvious when I look at it on my computer ?

[Lazarus 0]

I've seen quite a few Hijack This logs posted on other forums and didn't have a clue what was happening with them.  Will it become obvious when I look at it on my computer ?

135731[/snapback]

 

not always.

[Radgina 1]

The pop ups seem to be a mixture of Jamster, a weather icon for my toolbar and one other that I can't remember right now (I'll update you in a few minutes when it comes back) and then a few random ones every now and then.

 

I've seen quite a few Hijack This logs posted on other forums and didn't have a clue what was happening with them.  Will it become obvious when I look at it on my computer ?

135731[/snapback]

 

I had this last week...did a full system check with AVG ...deleted a few "unused" programs and did a back up then it disappeared...don't even know where it came from ..

[Walliver 0]

Okay, here's what HijackThis said, I'm just reading through it as I type this message.

 

Logfile of HijackThis v1.99.1

Scan saved at 21:25:30, on 13/05/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\NetLimiter\NetLimiter.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\OPLIMIT\ocrawr32.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Borland\InterBase\bin\ibguard.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Borland\InterBase\bin\ibserver.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\securitysuite.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.985\HijackThis.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

I think I've checked all these using Google. They're mainly Windwos, Norton and Symantec. AOL, iTunes, Borland, Netlimiter, SpySweeper, Ewido etc. are all supposed to be there. Or at least I can explain why they're there.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.popjustice.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.popjustice.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

This seems to be my settings for IE, which all seems fine. That's the home page I chose, there's no search abr or tool bar.

 

F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe

O1 - Hosts: om

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

 

These seem fine, except perhaps O1, which I don't really understand.

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

 

These I'm not sure about, I'll check up on them.

 

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"  /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

 

Again, I think these are all fine.

 

O15 - Trusted Zone: www.archiviosex.net

O15 - Trusted Zone: www.redfunny.com

O15 - Trusted Zone: www.skymasters.biz

 

I have no idea about these. I promise I've never [knowingly] been to archiviosex.net. Hijack says these sites are trusted to donwload scripts, which I'm not too happy about that.

 

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147255636015

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\j24o0ch3ef4.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

And these all seem to be all right. So really it's just that bit in the middle that's causing me these problems ?

[Lazarus 0]

at first glance yes - its those sites in the 'trusted zone' of ie

 

delete them, reboot, go back online and check for popups.

 

 

btw - have you considered switching browser?

[Walliver 0]

I'm not sure what you mean. The bottom of my screen informs me that you're using Firefox too. The only time I ever use IE is when I click on the MSN 'check my new e-mail button' or when Firefox is playing up. What do you suggest I use ?

 

Will these trusted IE sites be autmoatically trusted for other browers too or doesn't it work like that ?

[Lazarus 0]

I'm not sure what you mean.  The bottom of my screen informs me that you're using Firefox too.  The only time I ever use IE is when I click on the MSN 'check my new e-mail button' or when Firefox is playing up.  What do you suggest I use ?

 

Will these trusted IE sites be autmoatically trusted for other browers too or doesn't it work like that ?

135746[/snapback]

 

they shouldnt be - but them i'm by no means an expert.

 

this entry here

C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.985\HijackThis.exe

 

 

 

does it give you the full directory path?

[Lazarus 0]

Why havnt you upgraded to service pack 2?

[Walliver 0]

I'm not sure what you mean.  The bottom of my screen informs me that you're using Firefox too.  The only time I ever use IE is when I click on the MSN 'check my new e-mail button' or when Firefox is playing up.  What do you suggest I use ?

 

Will these trusted IE sites be autmoatically trusted for other browers too or doesn't it work like that ?

135746[/snapback]

 

they shouldnt be - but them i'm by no means an expert.

 

this entry here

C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.985\HijackThis.exe

 

 

 

does it give you the full directory path?

135752[/snapback]

 

It's C:\Documents and Settings\Owner\Local Settings\Temp\Rar$EX01.985\HijackThis.exe

 

Why do you ask ? That's the programme you told me to download that gave me all this info. It's just that I ran it straight out of the winrar file rather than extracting it first that has put it in a funny place.

[Walliver 0]

Why havnt you upgraded to service pack 2?

135754[/snapback]

 

I don't understand - service pack 2 for what ?

[Lazarus 0]

yep thats ok.

 

did you delete those items and reboot ?

[Lazarus 0]

Why havnt you upgraded to service pack 2?

135754[/snapback]

 

I don't understand - service pack 2 for what ?

135756[/snapback]

 

windows xp

[Walliver 0]

I'm not really sure. I used to do the autmatic downloads when it told me I should but recently it hasn't been suggesting anything. I went on the Web site the other day and tried to get it to happen again and hopefully I should be told how to run my computer again.

 

I'm just waiting for Spy Sweeper to finish running before I reboot. Whilst it's been running it tells me that it's been repeatedly blocking access to www.ad-w-a-r-e.com and www.a-d-w-a-r-e.com and I've been having no pop ups during this time - coincidence ?

 

Cheers for all your help. Hopefully all will be fine soon.

[Mags 1]

Trying out CounterSpy right now-it found stuff that AVG, Nortons and my server's spyware blocker missed. Free trial for 15 days.... T minus one and counting on whether I purchase it.

[Kid Dynamite 7367]

spyware doctor is by far the best spyware remover. get it off most peer2peer programmes with a serial number.

 

I always scan with adaware and spybot first and then spyware doctor and it always picks up a few the other 2 didnt.

 

btw, is anyone else having trouble with hotmail today?