Spyware

[Guest]

My laptop is really messed up, I ran adaware this morning and it seems like
the main thing is "myway" but who knows. It seems to have uninstalled my
norton, and it won't let me install again. It also crashes my ICQ. I had the
"mysearch" toolbar show up which I have gotten rid of. I've ran adaware and
quarantined everything it found but nothing has changed. I also did a system
restore to a few days ago but that didn't change it either. I don't want to
have to reformat since I just had the same problem on my PC a week ago and I
had to reformat that.
(laptop is XP)

 

[siljaline]

My laptop is really messed up, I ran adaware this morning and it seems like
the main thing is "myway" but who knows. It seems to have uninstalled my
norton, and it won't let me install again. It also crashes my ICQ. I had the
"mysearch" toolbar show up which I have gotten rid of. I've ran adaware and
quarantined everything it found but nothing has changed. I also did a system
restore to a few days ago but that didn't change it either. I don't want to
have to reformat since I just had the same problem on my PC a week ago and I
had to reformat that.
(laptop is XP)

Run 'HijackThis', FAQ & info here: http://mvps.org/winhelp2002/unwanted.htm
Post your log here: http://forum.aumha.org/viewforum.php?f=30

Silj

--
siljaline

MS - MVP Windows (IE/OE) 2003/04 AH-VSOP
________________________________________
Security Tools Updates
http://forum.aumha.org/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[oops!!]

Have you tried this online HJT log analyser?

http://www.hijackthis.de/index.php?langselect=english

Zee

 

[siljaline]

Have you tried this online HJT log analyser?

http://www.hijackthis.de/index.php?langselect=english

Zee

Hadn't seen "that" one, Zee, interesting!
Thanks -

Silj

--
siljaline

MS - MVP Windows (IE/OE) 2003/04 AH-VSOP
________________________________________
Security Tools Updates
http://forum.aumha.org/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[PA Bear]

It's not very useful IMO:

<paste>
C:\WINDOWS\RUNDLL32.EXE

Nasty running process. (RUNDLL32.EXE)

This process is not running from the System32 folder as it is supposed to
be. This entry is not running from the System32 folder, so it is probably
nasty.
</paste>

Now what? This isn't an entry which can be "fixed" with HT.

 

[oops!!]

That bug has been correct long ago.

Double check it.

It's not perfect, it will never be, but IMO, it's a good alternative to
posting those (very) long logs in forums.

Zee

 

[oops!!]

Correction, it's not...

Funny I thought it had, that's an old one, yup.

Zee

 

[siljaline]

:

It's not perfect, it will never be, but IMO, it's a good alternative to
posting those (very) long logs in forums.

There's *no* substitute for posting long logs and getting the correctly
evaluated and _fixed_

Silj

--
siljaline

MS - MVP Windows (IE/OE) 2003/04 AH-VSOP
________________________________________
Security Tools Updates
http://forum.aumha.org/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[Jim Byrd]

I agree, definitely not ready for prime time - identifies a lot of pretty
well know stuff as "nasties" which is going to lead many to delete
erroneously. For example, found the following on mine:

O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe
mmsys.cpl,mmseRunOnce
Nasty The entered application MigrateMMDrivers was identified:
Rundll32. Hit rate: 20 % (result) Must be fixed!


???? Multi-media Properties ????


O4 - Global Startup: Quick Tray.lnk = E:\Misc\QUIKTRAY.EXE
Nasty The entered application 'Quick Tray.lnk (QUIKTRAY.EXE)' was
identified: 'Aim Quick Start (Aim.exe)'. Hit rate: 33 % (result) Must be
fixed!


I could understand Unknown on this one, as it's a small, not too well known
utility.


O4 - Global Startup: TASKMGR.EXE.lnk = E:\WINNT\system32\TASKMGR.EXE
Nasty The entered application 'TASKMGR.EXE.lnk (TASKMGR.EXE)' was
identified: 'Taskmgr (Taskmgr.exe )'. Hit rate: 16 % (result) Must be
fixed!


???? Task Manager ????


O8 - Extra context menu item: &Web Search - E:\WINNT\WEB\selsearch.htm
Nasty The entry &Web Search has been identified as nasty.



???? Yahoo Home Page Search ????


O8 - Extra context menu item: BabelFish Translate... -
http://www.gingell.com/iesearch/babelfish.html
Nasty The entry BabelFish Translate... has been identified as nasty.


???? BabelFish ?????

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -
res://E:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should
be fixed. To be fixed if the entry 'ieSpell ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra 'Tools' menuitem: ieSpell -
{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://E:\Program
Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should
be fixed. To be fixed if the entry 'ieSpell ' is unknown.
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra button: (no name) -
{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://E:\Program
Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should
be fixed. To be fixed if the entry '' is unknown.
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra 'Tools' menuitem: ieSpell Options -
{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://E:\Program
Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
Unnecessarily Unknown buttons or entries in the 'Extras'-menu should
be fixed. To be fixed if the entry 'ieSpell Options ' is unknown.
Unnecessary (deactivated) entry that can be fixed.



These are only unnecessary in the Analyzer's opinion. Since I use them to
check spelling on IE forms, I kinda' think they're necessary, at least for
me.


O10 - Unknown file in Winsock LSP: e:\program files\google\google
desktop search\googledesktopnetwork1.dll
Nasty This entry should not be fixed! Your best bet to repair it is
to try the LSPFix from Cexx.org or Spybot S&D from Kolla.de. Check your
hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org.
O10 - Unknown file in Winsock LSP: e:\program files\google\google
desktop search\googledesktopnetwork1.dll
Nasty This entry should not be fixed! Your best bet to repair it is
to try the LSPFix from Cexx.org or Spybot S&D from Kolla.de. Check your
hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org.
O10 - Unknown file in Winsock LSP: e:\program files\google\google
desktop search\googledesktopnetwork1.dll
Nasty This entry should not be fixed! Your best bet to repair it is
to try the LSPFix from Cexx.org or Spybot S&D from Kolla.de. Check your
hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org.
O10 - Unknown file in Winsock LSP: e:\program files\google\google
desktop search\googledesktopnetwork1.dll
Nasty This entry should not be fixed! Your best bet to repair it is
to try the LSPFix from Cexx.org or Spybot S&D from Kolla.de. Check your
hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org.



?????? Google Desktop Search ??????






--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Guest]

this site
http://forum.aumha.org/viewforum.php?f=30
won't confirm my registration!! arghh!

 

[siljaline]

this site
http://forum.aumha.org/viewforum.php?f=30
won't confirm my registration!! arghh!

Sorry to hear you're having trouble.
Re-submit your registration request with the *exact* email address
you originally supplied.

Silj

--
siljaline

MS - MVP Windows (IE/OE) 2003/04 AH-VSOP
________________________________________
Security Tools Updates
http://forum.aumha.org/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[Guest]

just discovered it also won't let me send email
I'm going to post the log file below as it's pretty short and that site
won't approve my registration (unrelated to spyware.. different computer..
it's at their end) hope this isn't annoying...

Scan saved at 9:14:59 AM, on 11/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\a\LOCALS~1\Temp\Temporary Directory 1 for
hjt[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://rogers.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://active.macromedia.com/director6/cabs/sw.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) -
http://www.sponsoradulto.com/cab/en/SysWebTelecomInt.cab

 

[PA Bear]

It's fun to use though... <eg>

 

[PA Bear]

We do *not* interpret HT logs in this forum, Emily.

Use this link to contact an Aumha admin about your registration problem:
http://aumha.org/feedback.htm

 

[oops!!]

Thank you all for the feedback.

Really useful comments!

Zee

 

[Guest]

Nice site,It should help some people.

Have you tried this online HJT log analyser?

http://www.hijackthis.de/index.php?langselect=english

Zee

 

[oops!!]

Please read the other posts covering some bugs/limitations of the analysis site.

But, it is a step forward.

Zee

 

[siljaline]

Thank you all for the feedback.

Really useful comments!

Zee

<paste>
Have you tried this online HJT log analyser?
http://www.hijackthis.de/index.php?langselect=english
</paste>

You're welcome, it's useful but has its limitations.
Not quite ready for prime-time yet

Silj

--
siljaline

MS - MVP Windows (IE/OE) 2003/04 AH-VSOP
________________________________________
Security Tools Updates
http://forum.aumha.org/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[PA Bear]

Followup: http://forum.aumha.org/viewtopic.php?t=9427

Kazaa strikes again!
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Posting and You
http://www.trials-shack.co.uk/posting.html

 

[Jim Byrd]

And again, and again, and again and . . . . Sheeezzz, this get's old!

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In