Jump to content


Photo

Adware/Startpage.GX,Spyware/SurfSideKick


  • Please log in to reply
53 replies to this topic

#1 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 05 June 2005 - 05:35 PM

I can not find these two items on the computer, Panda Virus Scan shows them, but no other spyware, or adware shows that they are there. I tried to go thru the Registry, manually, by instructions from Norton's site, and nothing showed on the SurfSideKick. Just finished running ad-ware, spyboot, xoft spy, scan spyware, and non of them will pick it up.
As far as the Startpage,GX being in the registry, when I run a search of the registry, it doesn't show. I have run the Registry repair and nothing. All of this has been done with the system restore off. Below is a HJK log, just done.
:unsure: Please :help:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:02 PM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\My Documents\jeffsoldman\Receive\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini:

UserInit=C:\windows\system32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://excite.com"); (C:\Documents and

Settings\JOE\Application

Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)
N3 - Netscape 7:

user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5C

searchplugins%5CSBWeb_02.src"); (C:\Documents and

Settings\JOE\Application

Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)
O2 - BHO: (no name) -

{02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) -

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess -

{5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: &Google Search -

res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -

res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -

res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -

res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security.syma...tent/vc/bin/AvS

niff.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java

Runtime Environment 1.5.0) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}

(Microsoft RDP Client Control (redist)) -

http://66.191.103.21...tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoft...red:/asinst.cab
O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF}

(SystemChecker.CheckerCtrl) -

http://pa1.fnismls.c...stemChecker.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C}

(Creative Toolbox Plug-in) -

http://www.imgag.com...all/Crusher.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java

Runtime Environment 1.4.1_02) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

(McFreeScan Class) -

http://download.mcaf...vso/en-us/tools

/mcfscan/2,0,0,4504/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -

NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#2 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 04:14 PM

Hello JOE-J, welcome to the forum. Sorry about the delay in responding :( If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread. Please turn off wordwrap. Your log is hard to read.

#3 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 10 June 2005 - 06:39 PM

Somehow or some where I was able to get rid of the spyware, SurfSideKick. The last scan didn't show the Start page, but a cool websearch. then I got rid of that and the Startpage.GX showed up again. The registry is turned off and I have installed the Spyblaster after the previous HJT. Other than that, It should be all the same.
Logfile of HijackThis v1.99.1
Scan saved at 6:31:21 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\My Documents\jeffsoldman\Receive\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\windows\system32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://excite.com"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.191.103.21...tsweb/msrdp.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...red:/asinst.cab
O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://pa1.fnismls.c...stemChecker.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com...all/Crusher.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...504/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 06:52 PM

I suggest you do this:

Turn System Restore back on. It's better to have a infected restore point then none at all. If your system would crash, you'd have to re-install from scratch

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.



1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.



Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)


Close ALL windows and browsers except HijackThis and click "Fix checked"



Open C:\Windows\Prefetch\ Delete ALL files in this folder.




Download and run.
http://downloads.ste...p/CleanUp40.exe

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

#5 crookedwilly

crookedwilly

    Member

  • Banned
  • PipPip
  • 192 posts

Posted 10 June 2005 - 07:16 PM

If I could make a few suggestions: 1: Download and run winpatrol 2: Download and use Firefox 3: Download and run spywareblaster 4: Might be over kill, but download and run microsoft antispy and use realtime protection. 5: Remove cookies every day. 6: Don't open downloads. Save them to your desktop and scan them before installing. Just some simple precautions that should make your computer much more safe and clean.

#6 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 07:23 PM

crookedwilly, the clean speech post comes after the PC is clean. Also not everyone likes FireFox, but thanks for your suggestions ;)

#7 crookedwilly

crookedwilly

    Member

  • Banned
  • PipPip
  • 192 posts

Posted 10 June 2005 - 07:29 PM

You're right. I should have said to follow LDTate's instructions and clean up the mess first. My advice is for keeping things clean once they are clean. Maybe everyone doesn't like firefox, but it is much more secure. ;)

#8 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 10 June 2005 - 07:49 PM

I have done everthing that you suggested, except Download and run.
http://downloads.ste...p/CleanUp40.exe I could not get to the page with your link. "The page you are looking for has not yet been created or has a different URL. Please check the URL and try again."

I ran the Panda Virus Scan and it showed that it was still there. Here is the log. Aslo I believe what the other gentleman said and If he had looked he would have seen that I do have the spyblaster on. And I do not like firefox. For over kill, I have xsoft, S&D, ad-aware, (latest) Scn Spyware. and three different registry corrections. Unless I have some setting wrong in them I shouldn't have gotten this. And Yes I do download to the desktop and scan before opening. Then I save for futher if I have to reinstall.
The computer works fine, but it is just the annoyience of seen that I have spyware on this one. The other two no problems, and I run the same programs, but this is the main one I use and research on.

Logfile of HijackThis v1.99.1
Scan saved at 7:30:14 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\My Documents\jeffsoldman\Receive\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\windows\system32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://excite.com"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.191.103.21...tsweb/msrdp.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...red:/asinst.cab
O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://pa1.fnismls.c...stemChecker.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com...all/Crusher.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...504/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#9 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 07:53 PM

I ran the Panda Virus Scan and it showed that it was still there

Where does it say it's located?

#10 crookedwilly

crookedwilly

    Member

  • Banned
  • PipPip
  • 192 posts

Posted 10 June 2005 - 08:00 PM

Joe, sorry for not seeing that you already use spywareblaster.

Post deleted......please do not interfere again.

Forum Members are requested to not post a 'fix' for a HJT log unless you've been educated in the matter, and people seeking help are advised to wait until a Forum Staff Member or a Member of the Trusted HJT Advisor Group has reviewed and approved any advice given here before proceeding any further



edited by Jacee

Edited by Jacee, 10 June 2005 - 09:02 PM.


#11 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 10 June 2005 - 08:01 PM

In the registry, and when I went looking to see what it might be, it said that it was a compressed file. Startpage.GXThreat Level: Damage: Distribution: Common name: Startpage.GX Technical name: Adware/Startpage.GX Threat level: Low Alias: Trj/Startpage.GX, winsearchie32,Yun, up-search Type: Spyware Subtype: Adware Effects: It collects information on Internet usage and the applications installed in the computer and uses it to display pop-up advertisements. Affected platforms: Windows XP/2000/NT First detected on: July 9, 2004 Detection updated on: May 12, 2005 In circulation? No Brief Description Startpage.GX is adware. Adware is a license form for using programs, which offers the application at the only cost of viewing a series of advertisements. However, these programs sometimes collect data on Internet usage habits, pages viewed, inventory of the applications installed in the computer, etc. Then, this information can be sent to Internet advertising companies.

#12 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 10 June 2005 - 08:03 PM

A little more about it. Effects Startpage.GX carries out the following actions: It collects user details, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc. It uses this information to display pop-up advertisements. Means of transmission Startpage.GX does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc. Further Details Other interesting characteristics of Startpage.GX are: The file that carries out the infection is 6240 bytes. It is compressed with Upx.

#13 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 08:23 PM

I need you to please do the following:

Download FindQoologic-Narrator.zip save it to your Desktop.
http://forums.net-in...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread

#14 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 10 June 2005 - 08:49 PM

Nothing will open as the file is being used by another operation. It had something to do with the MOS DOS. THE TEXT FILE READS AS BELOW. PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. some examples are MRT.EXE NTDLL.DLL. »»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#15 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 08:55 PM

Lets try to run it in Safe mode. Make sure you're disconnected from the internet.

Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Now try and run the Find-Qoologic.bat .

wait until a text opens, post it in a reply to your thread

#16 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 09:14 PM

Note on XoftSpy:  XoftSpy was listed on this page because of concerns with false positives (1, 2, 3, 4), questionable license terms, and the use of aggressive, deceptive advertising (1, 2), including exploitation of the name "spybot" by affiliates. Earlier versions of XoftSpy were also Ad-aware knockoffs. (There was clone of XoftSpy named SpyBurn, but that application is no longer available.) 
Over the past few months, XoftSpy has taken aggressive steps to reign in its affiliates (who were primarily responsible for the unsavory advertising), revised its license text, and released a new version of XoftSpy (version 4.0) that addresses our concerns with false positves. Given these changes we can no longer regard XoftSpy as "rogue/suspect" anti-spyware.

If you have version 4.0, you should be alright.


ScanSpyware  scanspyware.net aggressive advertising (1); false positives work as goad to purchase [A: 6-26-04 / U: 6-26-04]


I'd use Add/Remove Programs and remove: ScanSpyware


How are we coming with the scan?

#17 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 09:39 PM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

#18 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 10 June 2005 - 09:48 PM

Go ahead and download and run Ewido ;)

#19 JOE-J

JOE-J

    Member

  • Members
  • 48 posts
  • Location:Rice Lake, Wi 12 years



Posted 10 June 2005 - 10:39 PM

Ok this is what I got. A worm. --------------------------------------------------------- ewido security suite - Process report --------------------------------------------------------- + Created on: 10:21:49 PM, 6/10/2005 + Report-Checksum: 53F022D0 0: System Process 4: System Process 208: \SystemRoot\System32\smss.exe 260: \??\C:\WINDOWS\system32\csrss.exe 284: \??\C:\WINDOWS\System32\winlogon.exe 328: C:\WINDOWS\system32\services.exe 340: C:\WINDOWS\system32\lsass.exe 492: C:\WINDOWS\system32\svchost.exe 552: C:\WINDOWS\system32\svchost.exe 628: C:\WINDOWS\system32\svchost.exe 808: C:\WINDOWS\Explorer.EXE 896: C:\Program Files\ewido\security suite\SecuritySuite.exe 1168: C:\WINDOWS\system32\mspaint.exe When I try to copy and paste off the desktop it comes up errors. and way the worm is: MINDA The image “file:///C:/Documents%20and%20Settings/JOE/Desktop/untitled.JPG” cannot be displayed, because it contains errors.

#20 LDTate

LDTate

    Member

  • Trusted Malware Techs
  • 294 posts

Posted 11 June 2005 - 06:51 AM

It takes time, but I went thru the scans, and I will try to post the results. The image “file:///D:/My%20Documents/My%20Received%20Files/untitled.JPG” cannot be displayed, because it contains errors. There are no errors in the scan. Just while or when I try to copy them. (images or reports) This happens with everything that I try to send. It makes no difference where I try to save them.

When the scans are finished and you save the log it should be just a text file not a picture jpg.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users