1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Another Persistent Spyware

Discussion in 'Virus & Other Malware Removal' started by stueycaster, Sep 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. stueycaster

    stueycaster Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    111
    I have another spyware that comes right back into my system every time I remove it. It's called coolwebsearch. Can someone tell me which one is my problem?

    Logfile of HijackThis v1.97.7
    Scan saved at 7:24:33 AM, on 9/19/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
    E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
    E:\Program Files\AdsGone\adsgone.exe
    E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MMKeybd.exe
    E:\Program Files\SpywareGuard\sgmain.exe
    E:\Program Files\Executive Software\Diskeeper\DkService.exe
    E:\WINDOWS\System32\nvsvc32.exe
    E:\Program Files\SpywareGuard\sgbhp.exe
    E:\Program Files\BulletProofSoft.com\SpywareRemover\DB31DA29.DLL
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\ZoneLabs\vsmon.exe
    E:\Program Files\Netropa\Traymon.exe
    E:\Program Files\Netropa\OSD.exe
    E:\WINDOWS\system32\wuauclt.exe
    E:\Program Files\HijackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KAVPersonal50] E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [spywatch] E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: AdsGone 2004.lnk = E:\Program Files\AdsGone\adsgone.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: MMKeybd.exe
    O4 - Global Startup: SpywareGuard (2).lnk = E:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Web Rebates - file://E:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e72ee2c1ad21:ec2c14f0540d4a37a01b1231e42bb95f
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37951.6800694444
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

    Also, I have Spyware Blaster but I never can see where it looks like it is switched on. It tells me it is working but it doesn't show up in my system tray.
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
    Please download the latest version of Hijack This and post another log. You can get it here: http://www.majorgeeks.com/download3155.html

    SpywareBlaster runs in the background and doesn't show in the system tray.
     
  3. stueycaster

    stueycaster Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    111
    Ok here it is. Thank you.

    Logfile of HijackThis v1.98.2
    Scan saved at 8:47:25 AM, on 9/19/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
    E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
    E:\Program Files\AdsGone\adsgone.exe
    E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    E:\Program Files\Executive Software\Diskeeper\DkService.exe
    E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MMKeybd.exe
    E:\Program Files\SpywareGuard\sgmain.exe
    E:\WINDOWS\System32\nvsvc32.exe
    E:\Program Files\SpywareGuard\sgbhp.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\ZoneLabs\vsmon.exe
    E:\Program Files\BulletProofSoft.com\SpywareRemover\C322CC2A.DLL
    E:\Program Files\Netropa\Traymon.exe
    E:\Program Files\Netropa\OSD.exe
    E:\Program Files\HijackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KAVPersonal50] E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [spywatch] E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: AdsGone 2004.lnk = E:\Program Files\AdsGone\adsgone.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: MMKeybd.exe
    O4 - Global Startup: SpywareGuard (2).lnk = E:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Web Rebates - file://E:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e72ee2c1ad21:ec2c14f0540d4a37a01b1231e42bb95f
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
    Please download and run the following programs:

    CWSHREDDER

    http://www.majorgeeks.com/download4086.html

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer.

    IMPORTANT!
    To help prevent this from happening again, you should install all the Microsoft security patches and critical updates.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.

    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
     
  5. stueycaster

    stueycaster Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    111
    Ok I did what you said. I was using AdAware 6.0, BPS Spyware Remover and Spybot S&D. I can't believe all the stuff that the new AdAware found that the others missed. Thanks for the info.
    I installed Service Pack 2 recently and whenever I go to the Windows Update site it tells me I'm all up to date.
    Here's the new HijackThis file.

    Thanks for the help.

    Logfile of HijackThis v1.98.2
    Scan saved at 8:29:32 PM, on 9/19/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
    E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
    E:\Program Files\AdsGone\adsgone.exe
    E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MMKeybd.exe
    E:\Program Files\SpywareGuard\sgmain.exe
    E:\Program Files\Executive Software\Diskeeper\DkService.exe
    E:\Program Files\SpywareGuard\sgbhp.exe
    E:\WINDOWS\System32\nvsvc32.exe
    E:\Program Files\BulletProofSoft.com\SpywareRemover\7F85CFAB.DLL
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\ZoneLabs\vsmon.exe
    E:\Program Files\Netropa\Traymon.exe
    E:\Program Files\Netropa\OSD.exe
    E:\Program Files\HijackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KAVPersonal50] E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [spywatch] E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: AdsGone 2004.lnk = E:\Program Files\AdsGone\adsgone.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: MMKeybd.exe
    O4 - Global Startup: SpywareGuard (2).lnk = E:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...e72ee2c1ad21:ec2c14f0540d4a37a01b1231e42bb95f
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R3 - Default URLSearchHook is missing

    O4 - HKCU\..\Run: [spywatch] E:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b1 231e42bb95f

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    E:\Program Files\BulletProofSoft.com - folder

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Then reboot and post another log please.
     
  7. stueycaster

    stueycaster Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    111
    Ok I did all you said. However, when I rebooted to regular mode BPS Spyware Remover tried to reinstall itself. I went to Add/Remove Programs and uninstalled it.

    Here's the new log

    Logfile of HijackThis v1.98.2
    Scan saved at 6:13:21 PM, on 9/20/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
    E:\Program Files\AdsGone\adsgone.exe
    E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MMKeybd.exe
    E:\Program Files\SpywareGuard\sgmain.exe
    E:\Program Files\Executive Software\Diskeeper\DkService.exe
    E:\WINDOWS\System32\nvsvc32.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\SpywareGuard\sgbhp.exe
    E:\WINDOWS\system32\ZoneLabs\vsmon.exe
    E:\Program Files\Netropa\Traymon.exe
    E:\Program Files\Netropa\OSD.exe
    E:\Program Files\HijackThis\HijackThis.exe
    E:\WINDOWS\system32\wuauclt.exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [KAVPersonal50] E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "E:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: AdsGone 2004.lnk = E:\Program Files\AdsGone\adsgone.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MMKeybd.exe
    O4 - Global Startup: SpywareGuard (2).lnk = E:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - E:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
    The log looks good. How's everything running now?
     
  9. stueycaster

    stueycaster Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    111
    Seems good right now. Now since I have the good version of AdAware my system will probably stay cleaner. Why did you advise me to take out BPS? Is there something wrong with it?
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
  11. stueycaster

    stueycaster Thread Starter

    Joined:
    Aug 8, 2004
    Messages:
    111
    Thanks Cookie. I did the restore point. Right now I have in my system: Spyware Blaster, Spyware Guard, IESpyad, CWShredder, Kaspersky AV, Adaware SE Personal. Spybot S&D and ZoneAlarm 5.1.011.000

    Also I plan to go through the list of things to do in the " How did I get infected in the first place " message when I'm a little less sleepy.

    Thanks again
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
    You're welcome. It looks like you're well protected.

    Happy computing!

    I’m closing this thread now as it has been solved. If you have more problems related to this thread and need it reopened, please PM a Moderator.

    ANYONE ONE ELSE WITH A SIMILAR PROBLEM PLEASE START A NEW THREAD.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275701

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice