1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Stupid spyware...

Discussion in 'All Other Software' started by blackecho, Apr 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. blackecho

    blackecho Thread Starter

    Joined:
    Oct 27, 2003
    Messages:
    369
    Somehow i've managed to get spy and adware on my computer, which is really weird because I've not done anything that would warrant it. I very rarely download stuff that would contain this crap and I'm very careful when I do, plus I haven't visited any "sites" that might infect me with it. I've got Norton Antivirus always running and I've used spysweeper and adware to remove it, but it's still here. I'm still getting pop ups for Golden Palace Casino and other crap. Gahd. Any ideas how to get rid of this stuff? Using winxp... thanks! Plus, i've got the IETool bar in IExplorer. It keeps killing my google taskbar and redirecting my searches to some stupid site. what did i do?
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First please get Spybot S&D to clear out most of the spyware.

    Short tutorial and download link here:
    http://tomcoyote.org/SPYBOT/

    Fix everything SpybotSD labels in red.

    Then after reboot:
    Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
    __________________
     
  3. SpeedRacer5

    SpeedRacer5

    Joined:
    Feb 10, 2004
    Messages:
    201
    I'd download AdAware from http://www.lavasoftusa.com/software/adaware/ and run it as well as AVG Anti-Virus (Free Version) from www.grisoft.com before I did the Hijack This.

    Adaware and Spybot both miss a few files that the other picks up.
    AVG is good to have and save you cash that you would spend to get Norton.
     
  4. blackecho

    blackecho Thread Starter

    Joined:
    Oct 27, 2003
    Messages:
    369
    Hijact this-

    Logfile of HijackThis v1.97.7
    Scan saved at 3:40:26 PM, on 4/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\LiteStep\litestep.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ZipGenius 5\zipgenius.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\ZGTemp\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F0 - system.ini: Shell=C:\LiteStep\litestep.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKCU\..\Run: [System Tray Manager] C:\Documents and Settings\Owner\Desktop\SYSMAN.EXE
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Rescan and put a check net to each of these then close all browser windows and click "fix checked"

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
     
  6. blackecho

    blackecho Thread Starter

    Joined:
    Oct 27, 2003
    Messages:
    369
    So, will this some stop of the bad stuff? I've not experienced any pop ups now for a little while. Thanks!
     
  7. Pancake

    Pancake

    Joined:
    Jan 9, 2004
    Messages:
    313
    Should you have probs you can take this one out as well.
    F0 - system.ini: Shell=C:\LiteStep\litestep.exe
     
  8. blackecho

    blackecho Thread Starter

    Joined:
    Oct 27, 2003
    Messages:
    369
    um, i thought that was crucial to the shell considering the shell is LiteStep?
     
  9. Pancake

    Pancake

    Joined:
    Jan 9, 2004
    Messages:
    313
    With the shell some take it out and some keep it....by all means leave it
     
  10. blackecho

    blackecho Thread Starter

    Joined:
    Oct 27, 2003
    Messages:
    369
    hehehe. is it crucial? i'm using litestep as the actuall shell, it loads instead of explorer. but if it's a process that has no use, is it critical? thanks for the tip. :)
     
  11. Pancake

    Pancake

    Joined:
    Jan 9, 2004
    Messages:
    313
    Normaly anything with an F0 prefix is treated as bad so it gets zapped.
    F0 - system.ini: Shell=C:\LiteStep\litestep.exe
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218333

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice