SLAMMED with spyware!

H

hockeyfrk5

Beta member
Messages
3
Hey guys


I just upgraded to a new hard drive and started over with a clean reformat about a week ago, and now I'm getting slammed with spyware. I am currently running Adaware 3 times a day, getting at least 150 hits each time, hijackthis, Zonealarm, Norton Systemworks, and Adaware AdWatch, but they still seem to be getting though! I need something that hits hard and works the first time. Somehow the ads keep duplicating themselves. I tried the whole safe-mode thing, too, and still no luck. Can someone tell me how I can paste a list of processes, etc., so I can show you all the details of my computer, to see if you guys no what is going on? Thanks

-Tom
 
If it's that bad, And you haven't reformatted in a long time, Just reformat!

Also, Use Mozilla Firefox Instead on IE
 
Spyware...EEK! Well, the best I can say is look for programs that could introduce spyware into your compy, like "KaZaa" and "My Search Toolbar".
 
Thanks for all the great ideas! Here is my Adaware logfile


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, December 05, 2004 10:18:42 AM
Using definitions file:SE1R21 03.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BargainBuddy(TAC index:8):8 total references
MRU List(TAC index:0):32 total references
Redirected hostfile entry(TAC index:4):4 total references
SecondThought(TAC index:4):1 total references
VX2(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


12-5-2004 10:18:42 AM - Scan started. (Full System Scan)

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 32


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 32


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 32


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 32



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : File
Data : A0006392.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0004
ProductVersion : 1.00.0004
ProductName : CashBack Program
CompanyName : eXact Advertising
InternalName : cb
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : cb.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006393.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0005
ProductVersion : 1.00.0005
ProductName : CashBack Flash Notification Module
CompanyName : eXact Advertising
InternalName : flash
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : flash.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006394.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adv
CompanyName : eXact Advertising
InternalName : adv
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adv.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006395.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adx
CompanyName : eXact Advertising
InternalName : adx
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adx.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006396.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0004
ProductVersion : 1.00.0004
ProductName : CashBack Program
CompanyName : eXact Advertising
InternalName : cb
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : cb.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006397.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0005
ProductVersion : 1.00.0005
ProductName : CashBack Flash Notification Module
CompanyName : eXact Advertising
InternalName : flash
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : flash.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006398.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0004
ProductVersion : 1.00.0004
ProductName : CashBack Program
CompanyName : eXact Advertising
InternalName : cb
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : cb.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006399.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0005
ProductVersion : 1.00.0005
ProductName : CashBack Flash Notification Module
CompanyName : eXact Advertising
InternalName : flash
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : flash.exe


SecondThought Object Recognized!
Type : File
Data : A0006400.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\



VX2 Object Recognized!
Type : File
Data : A0006401.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 0, 4, 4, 67
ProductVersion : 0, 4, 4, 67
ProductName : LocalNRD
CompanyName : LocalNRD
FileDescription : www.localnrd.com
InternalName : LocalNRD
LegalCopyright : Copyright © 2004
OriginalFilename : LocalNRD.dll
Comments : www.localnrd.com


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
16 entries scanned.
New critical objects:4
Objects found so far: 46




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}






Thanks, guys I'll also post my HJT logfile
 
HJT Logfile

Here is my HJT logfile...

And here is my HJT Logfile

Logfile of HijackThis v1.97.7
Scan saved at 11:03:13 AM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Documents and Settings\Tom K\Desktop\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hockeyfrk5.tripod.com/Shortcuts2.html
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\TOMK~1\LOCALS~1\Temp\ICD9.tmp\svcmm32.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
try deleting these
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\TOMK~1\LOCALS~1\Temp\ICD9.tmp\svcmm32.exe" /startup
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll


it looks like there could be an exploit in your winsock as well. If hjt says it can't delete these let me know.
also, make sure spybot and adaware are updated, then boot into safe mode, do full scans with both, then run hjt to remove the above entries specified.
 
You must log in or register to reply here.

Similar threads

H
My battle with WPSpamAIBot1gpt
Replies
3
Views
754
hamsheena
H
R
gigabyte GA-H170M-D3H boot loop power issues , and no display
Replies
5
Views
1K
ripo66
R
P
ComboFix Replacement
Replies
5
Views
509
PC_Cone
P
M
How to couple Desktop Gaming PC to Laptop for Streaming?
Replies
0
Views
530
motaro38
M
R
Suddenly there is no display on the computer
Replies
8
Views
895
Flowace
Flowace
Back
Top Bottom