Go Back   Computer Forums > General Computing > Hardware
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 12-04-2004, 09:51 PM   #1
Beta Member
 
Join Date: Dec 2004
Posts: 3
Send a message via AIM to hockeyfrk5
Default SLAMMED with spyware!

Hey guys


I just upgraded to a new hard drive and started over with a clean reformat about a week ago, and now I'm getting slammed with spyware. I am currently running Adaware 3 times a day, getting at least 150 hits each time, hijackthis, Zonealarm, Norton Systemworks, and Adaware AdWatch, but they still seem to be getting though! I need something that hits hard and works the first time. Somehow the ads keep duplicating themselves. I tried the whole safe-mode thing, too, and still no luck. Can someone tell me how I can paste a list of processes, etc., so I can show you all the details of my computer, to see if you guys no what is going on? Thanks

-Tom
__________________

hockeyfrk5 is offline   Reply With Quote
Old 12-04-2004, 10:26 PM   #2
Daemon Poster
 
broknhabit's Avatar
 
Join Date: Sep 2004
Posts: 1,222
Send a message via AIM to broknhabit
Default Re: SLAMMED with spyware!

use spybot as well:
http://www.download.com/Spybot-Searc...-10289035.html
__________________

__________________
seriously
broknhabit is offline   Reply With Quote
Old 12-04-2004, 10:49 PM   #3
In Runtime
 
skunx710's Avatar
 
Join Date: Nov 2004
Posts: 289
Default Re: SLAMMED with spyware!

post a hjt this log..
skunx710 is offline   Reply With Quote
Old 12-05-2004, 08:02 AM   #4
BSOD
 
FuRgy's Avatar
 
Join Date: Aug 2004
Posts: 1,692
Default Re: SLAMMED with spyware!

If it's that bad, And you haven't reformatted in a long time, Just reformat!

Also, Use Mozilla Firefox Instead on IE
FuRgy is offline   Reply With Quote
Old 12-05-2004, 09:46 AM   #5
Baseband Member
 
NVIDIAGAMER's Avatar
 
Join Date: Dec 2004
Posts: 69
Send a message via AIM to NVIDIAGAMER
Default Re: SLAMMED with spyware!

Spyware...EEK! Well, the best I can say is look for programs that could introduce spyware into your compy, like "KaZaa" and "My Search Toolbar".
__________________
AMDAthlonXP3000+(400 FSB) overclocked to 2.3Ghz (3200+ or faster). Tt Extreme Volcano 12+ HSF. 80GB Seagate 7,200 RPM. 512MB Generic RAM (PC2100 256MB and PC2700 256MB). 128MB Rosewill GeForce FX 5900XT 256bit. 100 Base-TX GAMER's LAN! 192.168.0.1 BABEH!
NVIDIAGAMER is offline   Reply With Quote
Old 12-05-2004, 10:01 AM   #6
Daemon Poster
 
Morpheus's Avatar
 
Join Date: Nov 2004
Posts: 1,073
Default Re: SLAMMED with spyware!

try using Regcleaner for your registry
__________________
Athlon 64 3.500 90nm Winchester Core (overclocked to 3.800)
Asus A8V Rev.2 Deluxe Corsair 2x512MB DDR XMS3200XL Platinum TwinX
HIS ATI Radeon 9800 Pro 128MB DDR IceQ TV-Out/DVI
Sound Blaster Live 2x SATA 200GB WD Hard Drives SX1040BII Black Performance Series II SOHO File Server 430W PSU
Creative Inspire 5.1 P580 Speakers Sharp LL-172G 17" LCD Monitor - Black
Morpheus is offline   Reply With Quote
Old 12-05-2004, 10:09 AM   #7
BSOD
 
FuRgy's Avatar
 
Join Date: Aug 2004
Posts: 1,692
Default Re: SLAMMED with spyware!

Quote:
Originally Posted by FuRgy
If it's that bad, And you haven't reformatted in a long time, Just reformat!

Oh sorry ignore that :8
FuRgy is offline   Reply With Quote
Old 12-05-2004, 01:02 PM   #8
Beta Member
 
Join Date: Dec 2004
Posts: 3
Send a message via AIM to hockeyfrk5
Default

Thanks for all the great ideas! Here is my Adaware logfile


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, December 05, 2004 10:18:42 AM
Using definitions file:SE1R21 03.12.2004


References detected during the scan:

BargainBuddy(TAC index:8):8 total references
MRU List(TAC index:0):32 total references
Redirected hostfile entry(TAC index:4):4 total references
SecondThought(TAC index:4):1 total references
VX2(TAC index:10):2 total references


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


12-5-2004 10:18:42 AM - Scan started. (Full System Scan)

Memory scan result:

New critical objects: 0
Objects found so far: 32


Started registry scan


Registry Scan result:

New critical objects: 0
Objects found so far: 32


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 32


Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 32



Deep scanning and examining files (C


BargainBuddy Object Recognized!
Type : File
Data : A0006392.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0004
ProductVersion : 1.00.0004
ProductName : CashBack Program
CompanyName : eXact Advertising
InternalName : cb
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : cb.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006393.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0005
ProductVersion : 1.00.0005
ProductName : CashBack Flash Notification Module
CompanyName : eXact Advertising
InternalName : flash
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : flash.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006394.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adv
CompanyName : eXact Advertising
InternalName : adv
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adv.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006395.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adx
CompanyName : eXact Advertising
InternalName : adx
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adx.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006396.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0004
ProductVersion : 1.00.0004
ProductName : CashBack Program
CompanyName : eXact Advertising
InternalName : cb
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : cb.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006397.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0005
ProductVersion : 1.00.0005
ProductName : CashBack Flash Notification Module
CompanyName : eXact Advertising
InternalName : flash
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : flash.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006398.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0004
ProductVersion : 1.00.0004
ProductName : CashBack Program
CompanyName : eXact Advertising
InternalName : cb
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : cb.exe


BargainBuddy Object Recognized!
Type : File
Data : A0006399.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 1.00.0005
ProductVersion : 1.00.0005
ProductName : CashBack Flash Notification Module
CompanyName : eXact Advertising
InternalName : flash
LegalCopyright : Copyright 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : flash.exe


SecondThought Object Recognized!
Type : File
Data : A0006400.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\



VX2 Object Recognized!
Type : File
Data : A0006401.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CD25FFA0-8175-4E91-A1EB-4839BC00B092}\RP36\
FileVersion : 0, 4, 4, 67
ProductVersion : 0, 4, 4, 67
ProductName : LocalNRD
CompanyName : LocalNRD
FileDescription : www.localnrd.com
InternalName : LocalNRD
LegalCopyright : Copyright 2004
OriginalFilename : LocalNRD.dll
Comments : www.localnrd.com


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:

16 entries scanned.
New critical objects:4
Objects found so far: 46




Performing conditional scans...


VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}






Thanks, guys I'll also post my HJT logfile
hockeyfrk5 is offline   Reply With Quote
Old 12-05-2004, 01:02 PM   #9
Beta Member
 
Join Date: Dec 2004
Posts: 3
Send a message via AIM to hockeyfrk5
Default HJT Logfile

Here is my HJT logfile...

And here is my HJT Logfile

Logfile of HijackThis v1.97.7
Scan saved at 11:03:13 AM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Documents and Settings\Tom K\Desktop\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hockeyfrk5.tripod.com/Shortcuts2.html
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\TOMK~1\LOCALS~1\Temp\ICD9.tmp\svcmm32 .exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
hockeyfrk5 is offline   Reply With Quote
Old 12-06-2004, 12:14 AM   #10
In Runtime
 
skunx710's Avatar
 
Join Date: Nov 2004
Posts: 289
Default Re: SLAMMED with spyware!

try deleting these
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\TOMK~1\LOCALS~1\Temp\ICD9.tmp\svcmm32 .exe" /startup
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll


it looks like there could be an exploit in your winsock as well. If hjt says it can't delete these let me know.
also, make sure spybot and adaware are updated, then boot into safe mode, do full scans with both, then run hjt to remove the above entries specified.
__________________

skunx710 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 11:29 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0