Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Spyware?

  • 22-07-2004 2:28pm
    #1
    Closed Accounts Posts: 1,114 ✭✭✭


    Recently when looking at webpages I have noticed links on words like "dvds" and "movies" etc but these links aren't put in by the auther eg I hav seen some in posts made by users on these forums.

    When you click these links it takes you to www.adsrv.comXXXXXXXXXX or something,


    Now I have noticed that IE is slow to respond lately i.e. when typing it sometimes take a few seconds before the text appers and when scrolling a page it will stall for a second or two. Maybe this is unrealated but I think that it may be spyware scaning the page for words to licnk from.

    I have scanned with Adaware and it found nothing.

    Anyone have any ideas.


Comments

  • Registered Users, Registered Users 2 Posts: 907 ✭✭✭tibor


    A spyware removal sticky might be useful?


    <standard spyware cleaning procedure>
    1. Download the following -
    Spybot Search and Destroy
    http://www.safer-networking.net/

    Lavasoft AdAware
    http://www.lavasoft.de

    CWSShredder
    http://www.spywareinfo.com/~merijn/downloads.html

    LSP-Fix and WinsockXPFIx
    http://www.cexx.org/lspfix.htm

    Hijack This!
    http://mjc1.com/mirror/hjt/

    2. Run WindowsUpdate, making sure your system is fully patched with, at least, all "critical" updates.

    3. Install and update AdAware and SpybotS&D.

    4. Reboot to safe mode, do not open ANY programs before continuing.

    5. Run LSP-Fix, and WinXPFix if appropriate. Remove anything dodgy.

    6. Run CWSShredder, let it fix whatever it finds.

    7. Scan with AdAware and SpybotS&D, and make recommended deletions.

    8. Reboot normally.

    9. Run HiJackThis, save the logfile. Look for anything strange or out of place.

    </>


  • Closed Accounts Posts: 1,114 ✭✭✭Kappar


    I've tried most of that but it is still happening. It is getting very annoying at this stage.

    Any suggestions would be great.


  • Registered Users, Registered Users 2 Posts: 907 ✭✭✭tibor


    Only doing MOST could be the problem.
    Try all of it, in that order, and post the HiJack This log when your done. :)


  • Closed Accounts Posts: 1,114 ✭✭✭Kappar


    Here is the log:
    Logfile of HijackThis v1.97.7
    Scan saved at 17:02:32, on 22/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Unisyn\AutoMate4\Automate.exe
    C:\Program Files\Navini Ripwave Monitor\NAVMON.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\System32\ccserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    X:\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iol.ie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.u.tv
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UTV Internet
    O1 - Hosts: 169.254.27.254 Attic.NetWiz
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PPMemCheck] "C:\PROGRAM FILES\PESTPATROL\PPMemCheck.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [WinProxyRun] C:\PROGRA~1\WINPRO~1.0\WinProxy.exe /InstallWizard
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\RunServices: [Win32 Rundll Loader] Rundll32.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [East-Tec Eraser 2003] "C:\Program Files\East-Tec Eraser 2003\silent.exe" /R
    O4 - Global Startup: AutoMate Task Service.lnk = C:\Program Files\Unisyn\AutoMate4\Automate.exe
    O4 - Global Startup: Ripwave Monitor.lnk = C:\Program Files\Navini Ripwave Monitor\NAVMON.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.u.tv
    O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
    O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.justis.com/J-Net/smsx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.5330671296
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4279/mcfscan.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlaccell.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2569FA4C-A9D2-4874-84D9-24C8FA8284D5}: NameServer = 172.16.1.1


  • Registered Users, Registered Users 2 Posts: 907 ✭✭✭tibor


    Open Task Manager & end process on the following:

    IEHost.exe

    Then delete the file manually by going to C:\WINDOWS\System32\IEHost.exe

    Close all browser windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':


    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL

    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe

    O1 - Hosts: 169.254.27.254 Attic.NetWiz

    Reboot into safe mode following the instructions here & navigate to & delete the following if found:

    C:\Program Files\MyWay-folder


    That should get rid of it.

    Try sort out your ZoneAlarm rules though so that any programs attempting to access the net require authorisation.

    And you should probably stop using IE.


  • Advertisement
  • Closed Accounts Posts: 1,114 ✭✭✭Kappar


    thnaks alot, it's all sorted now I hope.

    I think I might stop using IE. I wish it wasn;t so intergrated with windows though.


  • Registered Users, Registered Users 2 Posts: 9,604 ✭✭✭irishgeo


    my ultimate spyware thread was supposed to be stickied.

    Guess the mods are slacking.:D


  • Registered Users, Registered Users 2 Posts: 1,865 ✭✭✭Syth


    thnaks alot, it's all sorted now I hope.

    I think I might stop using IE. I wish it wasn;t so intergrated with windows though.
    Try Firefox it's great!
    SO you will have to use IE for file viewing and stuff, but if you don't use it on the web, then spyware can't istall through there. PLus even if you get spyware in IE, it won't affect your web browsing preformance.


  • Registered Users, Subscribers, Registered Users 2 Posts: 47,352 ✭✭✭✭Zaph


    Another anti-spyware/virus tool worth downloading is AVG Free Edition. It picked up a couple of nasties on my PC that a full scan of Norton didn't. It's available here http://www.grisoft.com


Advertisement