Jump to content
Sign in to follow this  
JOE-J

Adware/Startpage.GX,Spyware/SurfSideKick

Recommended Posts

I can not find these two items on the computer, Panda Virus Scan shows them, but no other spyware, or adware shows that they are there. I tried to go thru the Registry, manually, by instructions from Norton's site, and nothing showed on the SurfSideKick. Just finished running ad-ware, spyboot, xoft spy, scan spyware, and non of them will pick it up.

As far as the Startpage,GX being in the registry, when I run a search of the registry, it doesn't show. I have run the Registry repair and nothing. All of this has been done with the system restore off. Below is a HJK log, just done.

:unsure: Please :help:

 

Logfile of HijackThis v1.99.1

Scan saved at 5:32:02 PM, on 6/5/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft

 

Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\My Documents\jeffsoldman\Receive\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet

 

Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet

 

Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet

 

Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet

 

Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet

 

Explorer\Search,CustomizeSearch = about:blank

R3 - Default URLSearchHook is missing

F2 - REG:system.ini:

 

UserInit=C:\windows\system32\Userinit.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",

 

"http://excite.com"); (C:\Documents and

 

Settings\JOE\Application

 

Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

N3 - Netscape 7:

 

user_pref("browser.search.defaultengine",

 

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5C

 

searchplugins%5CSBWeb_02.src"); (C:\Documents and

 

Settings\JOE\Application

 

Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

O2 - BHO: (no name) -

 

{02478D38-C3F9-4efb-9B51-7695ECA05670} -

 

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class -

 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

 

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) -

 

{53707962-6F74-2D53-2644-206D7942484F} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) -

 

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: DriveLetterAccess -

 

{5CA3D70E-1895-11CF-8E15-001234567890} -

 

C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper -

 

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

 

files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar -

 

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

 

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Google -

 

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

 

files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

 

C:\WINDOWS\system32\NvCpl.dll,NvStartup

O6 - HKCU\Software\Policies\Microsoft\Internet

 

Explorer\Control Panel present

O8 - Extra context menu item: &Google Search -

 

res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links -

 

res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page -

 

res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel

 

- res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages -

 

res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English -

 

res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) -

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger -

 

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

 

Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

 

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

 

Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra button: AIM -

 

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

 

C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

 

(HouseCall Control) -

 

http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

 

(PCPitstop Utility) -

 

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

 

(Symantec AntiVirus scanner) -

 

http://security.symantec.com/SSC/SharedContent/vc/bin/AvS

 

niff.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java

 

Runtime Environment 1.5.0) -

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}

 

(Microsoft RDP Client Control (redist)) -

 

http://66.191.103.218:6970/tsweb/msrdp.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

 

(ActiveScan Installer Class) -

 

http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF}

 

(SystemChecker.CheckerCtrl) -

 

http://pa1.fnismls.com/Paragon/Codebase/SystemChecker.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C}

 

(Creative Toolbox Plug-in) -

 

http://www.imgag.com/cp/install/Crusher.cab

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java

 

Runtime Environment 1.4.1_02) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

 

(McFreeScan Class) -

 

http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools

 

/mcfscan/2,0,0,4504/mcfscan.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

 

GRISOFT, s.r.o. -

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

 

GRISOFT, s.r.o. -

 

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) -

 

NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Share this post


Link to post
Share on other sites

Hello JOE-J, welcome to the forum.

 

Sorry about the delay in responding :(

 

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

 

 

Please turn off wordwrap. Your log is hard to read.

Share this post


Link to post
Share on other sites

Somehow or some where I was able to get rid of the spyware, SurfSideKick. The last scan didn't show the Start page, but a cool websearch. then I got rid of that and the Startpage.GX showed up again. The registry is turned off and I have installed the Spyblaster after the previous HJT. Other than that, It should be all the same.

Logfile of HijackThis v1.99.1

Scan saved at 6:31:21 PM, on 6/10/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\My Documents\jeffsoldman\Receive\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\windows\system32\Userinit.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://excite.com"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.191.103.218:6970/tsweb/msrdp.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://pa1.fnismls.com/Paragon/Codebase/SystemChecker.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...504/mcfscan.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Share this post


Link to post
Share on other sites

I suggest you do this:

 

Turn System Restore back on. It's better to have a infected restore point then none at all. If your system would crash, you'd have to re-install from scratch

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Remove the Check Turn off System Restore.

Click Apply, and then click OK.

 

 

 

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

 

 

 

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

 

Close ALL windows and browsers except HijackThis and click "Fix checked"

 

 

 

Open C:\Windows\Prefetch\ Delete ALL files in this folder.

 

 

 

 

Download and run.

http://downloads.stevengould.org/cleanup/CleanUp40.exe

 

Empty Recycle Bin

 

Reboot and "copy/paste" a new log file into this thread.

Also please describe how your computer behaves at the moment.

Share this post


Link to post
Share on other sites

If I could make a few suggestions:

 

1: Download and run winpatrol

 

2: Download and use Firefox

 

3: Download and run spywareblaster

 

4: Might be over kill, but download and run microsoft antispy and use realtime protection.

 

5: Remove cookies every day.

 

6: Don't open downloads. Save them to your desktop and scan them before installing.

 

Just some simple precautions that should make your computer much more safe and clean.

Share this post


Link to post
Share on other sites

crookedwilly, the clean speech post comes after the PC is clean.

Also not everyone likes FireFox, but thanks for your suggestions ;)

Share this post


Link to post
Share on other sites

You're right. I should have said to follow LDTate's instructions and clean up the mess first. My advice is for keeping things clean once they are clean.

 

Maybe everyone doesn't like firefox, but it is much more secure. ;)

Share this post


Link to post
Share on other sites

I have done everthing that you suggested, except Download and run.

http://downloads.stevengould.org/cleanup/CleanUp40.exe I could not get to the page with your link. "The page you are looking for has not yet been created or has a different URL. Please check the URL and try again."

 

I ran the Panda Virus Scan and it showed that it was still there. Here is the log. Aslo I believe what the other gentleman said and If he had looked he would have seen that I do have the spyblaster on. And I do not like firefox. For over kill, I have xsoft, S&D, ad-aware, (latest) Scn Spyware. and three different registry corrections. Unless I have some setting wrong in them I shouldn't have gotten this. And Yes I do download to the desktop and scan before opening. Then I save for futher if I have to reinstall.

The computer works fine, but it is just the annoyience of seen that I have spyware on this one. The other two no problems, and I run the same programs, but this is the main one I use and research on.

 

Logfile of HijackThis v1.99.1

Scan saved at 7:30:14 PM, on 6/10/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\My Documents\jeffsoldman\Receive\HijackThis.exe

 

F2 - REG:system.ini: UserInit=C:\windows\system32\Userinit.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://excite.com"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.191.103.218:6970/tsweb/msrdp.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://pa1.fnismls.com/Paragon/Codebase/SystemChecker.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...504/mcfscan.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Share this post


Link to post
Share on other sites

Joe, sorry for not seeing that you already use spywareblaster.

 

Post deleted......please do not interfere again.

 

Forum Members are requested to not post a 'fix' for a HJT log unless you've been educated in the matter, and people seeking help are advised to wait until a Forum Staff Member or a Member of the Trusted HJT Advisor Group has reviewed and approved any advice given here before proceeding any further

 

edited by Jacee

Edited by Jacee

Share this post


Link to post
Share on other sites

In the registry, and when I went looking to see what it might be, it said that it was a compressed file.

 

Startpage.GXThreat Level:

Damage:

Distribution:

 

 

 

 

 

 

Common name: Startpage.GX

 

Technical name: Adware/Startpage.GX

 

Threat level: Low

 

Alias: Trj/Startpage.GX, winsearchie32,Yun, up-search

 

Type: Spyware

 

Subtype: Adware

 

Effects: It collects information on Internet usage and the applications installed in the computer and uses it to display pop-up advertisements.

 

 

Affected platforms: Windows XP/2000/NT

 

 

First detected on: July 9, 2004

 

Detection updated on: May 12, 2005

 

In circulation? No

 

 

Brief Description

 

Startpage.GX is adware.

Adware is a license form for using programs, which offers the application at the only cost of viewing a series of advertisements. However, these programs sometimes collect data on Internet usage habits, pages viewed, inventory of the applications installed in the computer, etc.

Then, this information can be sent to Internet advertising companies.

Share this post


Link to post
Share on other sites

A little more about it.

 

 

 

Effects

 

Startpage.GX carries out the following actions:

 

It collects user details, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc.

It uses this information to display pop-up advertisements.

 

 

Means of transmission

 

 

 

Startpage.GX does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.

 

Further Details

 

 

Other interesting characteristics of Startpage.GX are:

 

The file that carries out the infection is 6240 bytes.

 

It is compressed with Upx.

Share this post


Link to post
Share on other sites

I need you to please do the following:

 

Download FindQoologic-Narrator.zip save it to your Desktop.

http://forums.net-integration.net/index.ph...=post&id=134981

 

Extract (unzip) the files inside into their own folder called FindQoologic.

Open the FindQoologic folder. Preferable to your desktop.

Locate and double-click the Find-Qoologic.bat file to run it.

wait until a text opens, post it in a reply to your thread

Share this post


Link to post
Share on other sites

Nothing will open as the file is being used by another operation. It had something to do with the MOS DOS. THE TEXT FILE READS AS BELOW.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

some examples are MRT.EXE NTDLL.DLL.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Share this post


Link to post
Share on other sites

Lets try to run it in Safe mode. Make sure you're disconnected from the internet.

 

Restart in Safe Mode:

Restart your computer.

 

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

 

 

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Clear "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Clear "Hide protected operating system files."

Click Apply, and then click OK.

 

Now try and run the Find-Qoologic.bat .

 

wait until a text opens, post it in a reply to your thread

Share this post


Link to post
Share on other sites

Note on XoftSpy:  XoftSpy was listed on this page because of concerns with false positives (1, 2, 3, 4), questionable license terms, and the use of aggressive, deceptive advertising (1, 2), including exploitation of the name "spybot" by affiliates. Earlier versions of XoftSpy were also Ad-aware knockoffs. (There was clone of XoftSpy named SpyBurn, but that application is no longer available.) 

Over the past few months, XoftSpy has taken aggressive steps to reign in its affiliates (who were primarily responsible for the unsavory advertising), revised its license text, and released a new version of XoftSpy (version 4.0) that addresses our concerns with false positves. Given these changes we can no longer regard XoftSpy as "rogue/suspect" anti-spyware.

If you have version 4.0, you should be alright.

 

 

ScanSpyware  scanspyware.net aggressive advertising (1); false positives work as goad to purchase [A: 6-26-04 / U: 6-26-04]

I'd use Add/Remove Programs and remove: ScanSpyware

 

 

How are we coming with the scan?

Share this post


Link to post
Share on other sites

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

 

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Share this post


Link to post
Share on other sites

Ok this is what I got. A worm. ---------------------------------------------------------

ewido security suite - Process report

---------------------------------------------------------

 

+ Created on: 10:21:49 PM, 6/10/2005

+ Report-Checksum: 53F022D0

 

0: System Process

4: System Process

208: \SystemRoot\System32\smss.exe

260: \??\C:\WINDOWS\system32\csrss.exe

284: \??\C:\WINDOWS\System32\winlogon.exe

328: C:\WINDOWS\system32\services.exe

340: C:\WINDOWS\system32\lsass.exe

492: C:\WINDOWS\system32\svchost.exe

552: C:\WINDOWS\system32\svchost.exe

628: C:\WINDOWS\system32\svchost.exe

808: C:\WINDOWS\Explorer.EXE

896: C:\Program Files\ewido\security suite\SecuritySuite.exe

1168: C:\WINDOWS\system32\mspaint.exe

When I try to copy and paste off the desktop it comes up errors. and way the worm is: MINDA The image “file:///C:/Documents%20and%20Settings/JOE/Desktop/untitled.JPG” cannot be displayed, because it contains errors.

Share this post


Link to post
Share on other sites

It takes time, but I went thru the scans, and I will try to post the results. The image “file:///D:/My%20Documents/My%20Received%20Files/untitled.JPG” cannot be displayed, because it contains errors. There are no errors in the scan. Just while or when I try to copy them. (images or reports) This happens with everything that I try to send. It makes no difference where I try to save them.

When the scans are finished and you save the log it should be just a text file not a picture jpg.

Share this post


Link to post
Share on other sites

I think I got it right this time. The previous log was from last evening. I did a new one this morning. Before I did it, I went thru all the spyware programs and ran them. A registry repair, Then ewido. rebooting between each scan.

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 12:20:25 PM, 6/11/2005

+ Report-Checksum: FD56C0DA

 

+ Date of database: 6/11/2005

+ Version of scan engine: v3.0

 

+ Duration: 33 min

+ Scanned Files: 70758

+ Speed: 34.69 Files/Second

+ Infected files: 0

+ Removed files: 0

+ Files put in quarantine: 0

+ Files that could not be opened: 0

+ Files that could not be cleaned: 0

 

+ Binder: Yes

+ Crypter: Yes

+ Archives: Yes

 

+ Scanned items:

C:\

D:\

E:\

 

+ Scan result:

No infected files found!

 

 

::Report End

Then I did the PANDA ONE TO CHECK AND THIS IS WHAT I GOT AGAIN. THE EXPLAINATION OF WHAT IT IS IS ON PREVIOUS THREADS.

 

 

Incident Status Location

 

Adware:Adware/Startpage.GX No disinfected Windows Registry

:help:

Share this post


Link to post
Share on other sites

click Start>Run and type regedit tap enter key.

 

 

Regedit will open. At the top of the window click edit> Find> then copy and paste the following into the window.

 

Startpage.GX

 

Then click find now.

When you find the entry right click on it and select delete, answer ok at the prompt.

Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

Share this post


Link to post
Share on other sites

I have done that all week, but just so I wasn't following in the right order, I did it again, just now. no results. That was one of the first things I tried. Now what? :blushing:

Share this post


Link to post
Share on other sites
Sign in to follow this  

Click here to Read Amazon Reviews!



×