|
|
|
Spyware & IE problems
Showing all messages in thread #1101730302
Windows XP Annoyances Discussion Forum
The following are all of the messages in this thread (40 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
Spyware & IE problems
Monday, November 29, 2004 at 4:11 am
Posted by Seth
(50 messages posted)
I am having a problem where my internet explorer opens up by itself and is directing
me to a website. This even occured when I changed to FireFox as my default. The only
info I can find is contained in a post found on this website http://www.aluriasoftware.com/forum/thread393.html
however, there is no answer to fixing the problem.
I have run everything mentioned by a regular poster on this site (Yap) as detailed
in a previous post of mine earlier today which was a different problem that I still
have not been able to fix.
Any help would be appreciated.
[Reply or follow-up to this message]
| |
re: Spyware & IE problems
Monday, November 29, 2004 at 4:39 am
Posted by Yap
(4094 messages posted)
if you followed all link i've given to you... you should already post the hijackthis
log now :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 4:59 am
Posted by Seth
(50 messages posted)
Sorry Yap. I posted the Hijack report on my original post as this is another issue
i have.
On Monday, November 29, 2004 at 4:39 am, Yap wrote:
>if you followed all link i've given to you... you should already post the hijackthis
>log now :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 6:07 am
Posted by joe
(7018 messages posted)
Seth, you have a variant of CWS. what you are going to need for starters is to download,
install and update CWShredder™
2.0 and do a fix/scan in safe
mode but Disable
System Restore before doing this, where is your previous HJT log? see also
this link for more info on that globesearch.com, if that is
what you are referring to.
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 6:14 am
Posted by Tkwiget
(80 messages posted)
http://www.annoyances.org/exec/forum/winxp/1100419274
Yaps guide to spyware removal.
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 6:28 am
Posted by Yap
(4094 messages posted)
http://www.annoyances.org/exec/forum/winxp/t1101690425
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 6:57 am
Posted by joe
(7018 messages posted)
pick up a newer version of HJT, HijackThis
1.98.2. unzip it to its own folder (like C:\HJT) then run a scan, don't fix
anything yet. paste a new log here and this time check the box at the bottom of the
reply to preserve your spacing, again, are you refering to globe search or globe
finder?
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 12:39 pm
Posted by Deosyne
(64 messages posted)
First, why bother screwing around with other programs searching for the problem when
a simpler solution can be at hand. Try using a spyware removing program like SpySweeper.
Search Google for Webroot Spysweeper download and use it, it's free and one of the
best spyware removal tools out there.
Then if you still have a problem use HJT.
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 1:00 pm
Posted by joe
(7018 messages posted)
why, because CWShredder is especially created for CoolWebSearch and it's variants.
Do some homework before giving somewhat bad advice on stating "why bother screwing
around with other programs"
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 1:30 pm
Posted by Falcon
(13489 messages posted)
And it certainly is NOT free.
The Wereotter
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 1:38 pm
Posted by joe
(7018 messages posted)
oh, a free 30 day trial followed by having to subscribe at (US)$29.95. i've used
it before, after its first update and scan, it is nothing that Spybot, and Ad-Aware
can't find and remove, and all of their updates are free, all of the time....don't
you just love spammers!!!!!! ;P
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, November 29, 2004 at 11:39 pm
Posted by Seth
(50 messages posted)
Thanks for all your advice guys.
I am referring to Globosearch (or whatever it is). This thread was referring to this
problem and my other thread was in relation to another problem however, it would
appear they are related in that the links embedded into the internet explorer (when
clicked) infect your PC with this globosearch. I have run SpyBot, Adaware, PestPatrol,
Norton all with latest updates to no avail.
I have now run Hijack this and deleted everything suggested by Yap in the other post
(except for the Rainbow Key as it is work related and TGT program as it is skinning
program) and touch wood, the links have disappeared and my browser has not opened
up by itself in the last 30 minutes.
I have post my Hijack this log on the other thread.
Wat a damn hijacking of a pc if I have ever seen one!
On Monday, November 29, 2004 at 1:38 pm, joe wrote:
>oh, a free 30 day trial followed by having to subscribe at (US)$29.95. i've used
>it before, after its first update and scan, it is nothing that Spybot, and Ad-Aware
>can't find and remove, and all of their updates are free, all of the time....don't
>you just love spammers!!!!!! ;P
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Tuesday, November 30, 2004 at 2:52 am
Posted by Yap
(4094 messages posted)
I use spybot, spywareblaster, kerio firewall, AVG, and firefox browser combination
to protect my computer...
never have trouble since...
also have ad-aware... just incase... but rarely run it
the good news all are free for personal use :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Thursday, December 2, 2004 at 5:06 pm
Posted by Seth
(50 messages posted)
This Globosearch has occurred again. It opens up my internet browser automatically.
Is there any more news on this menace and how to stop it?
On Tuesday, November 30, 2004 at 2:52 am, Yap wrote:
>I use spybot, spywareblaster, kerio firewall, AVG, and firefox browser combination
>to protect my computer...
>never have trouble since...
>also have ad-aware... just incase... but rarely run it
>the good news all are free for personal use :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Thursday, December 2, 2004 at 7:38 pm
Posted by Yap
(4094 messages posted)
do you have multiple user in the system?
if so you should delete their temp, temporary internet, files and recycle bin also...
and why not you use a firewall to protect the system?
Ok let me see your HijackThis log again and send here :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Thursday, December 2, 2004 at 11:42 pm
Posted by Seth
(50 messages posted)
I am now using Zone Alarm Security Suite that I purchased. There is no other users,
just me. Here is my HiJack log.
Logfile of HijackThis v1.98.2
Scan saved at 6:42:46 PM, on 3/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\BPALogin\BPALogin.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DkLog.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dkcktkn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dr Gothic\Desktop\Downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C}
- C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program
Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000
Series Software\DkAutoReg.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series
Software\DkStartup.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe"
/r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Udoc] C:\Documents and Settings\Dr Gothic\Application Data\rpat.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee
Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BPALogin.lnk = C:\Program Files\BPALogin\BPALogin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN
Client\ipsecdialer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.telstra.com/java/cr.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093177363265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
On Thursday, December 2, 2004 at 7:38 pm, Yap wrote:
>do you have multiple user in the system?
>if so you should delete their temp, temporary internet, files and recycle bin also...
>and why not you use a firewall to protect the system?
>Ok let me see your HijackThis log again and send here :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Friday, December 3, 2004 at 12:21 am
Posted by Yap
(4094 messages posted)
I found something back in the registry...
Download and run AboutBuster
it will run twice... just let it...
from the latest hijackthislog fixed below items and delete the real files
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
- (no
file)
O4 - HKCU\..\Run: [Udoc] C:\Documents and Settings\Dr Gothic\Application
Data\rpat.exe (remove this one if you do not need seem like something related to
a driving school)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
I also suggest you to apply two tools as ive suggest you before spybot (turn on it's
resident teatimer feature) and spywareblaster... they will give you extra protection
update them religiously :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Friday, December 3, 2004 at 2:56 pm
Posted by Seth
(50 messages posted)
Hi Yap,
I have done as advised except I could not find the teatimer feature on Spybot (running
version 1.2). Here is another copy of my Hijack log. Will leave PC on for a while
to see if browser opens up by itself and directs me to best.globesearch.com. (PS.
it doesn't matter whether Mozilla or IE is default browser, the default browser opens
by itself and goes to the website listed above)
Logfile of HijackThis v1.98.2
Scan saved at 9:55:28 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\BPALogin\BPALogin.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\DkLog.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dkcktkn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\Dr Gothic\Desktop\Downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C}
- C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program
Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000
Series Software\DkAutoReg.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series
Software\DkStartup.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe"
/r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee
Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BPALogin.lnk = C:\Program Files\BPALogin\BPALogin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN
Client\ipsecdialer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.telstra.com/java/cr.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093177363265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
On Friday, December 3, 2004 at 12:21 am, Yap wrote:
>I found something back in the registry...
>Download and run AboutBuster
>it will run twice... just let it...
>from the latest hijackthislog fixed below items and delete the real files
> R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
>- (no
>file)
>O4 - HKCU\..\Run: [Udoc] C:\Documents and Settings\Dr Gothic\Application
>Data\rpat.exe (remove this one if you do not need seem like something related to
>a driving school)
>O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
>
>I also suggest you to apply two tools as ive suggest you before spybot (turn on
it's
>resident teatimer feature) and spywareblaster... they will give you extra protection
>update them religiously :)
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Friday, December 3, 2004 at 3:51 pm
Posted by Yap
(4094 messages posted)
run spybot -> Mode -> Advanced Mode -> Expand Spybot S&D at the left pane -> point
to immunize -> check mark "enable permanent blocking of bad adresses in IE" -> click
on green + sign to immunize -> expand Tools at the left pane -> point to Hosts file
-> click on green + sign to Add spybot S&D hosts list... thats all
dont forget to update spybot and spyware blaster religiously :)
btw: the hijackthis log seem to be clear again now
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 1:15 am
Posted by Seth
(50 messages posted)
Despite doing everything as metioned, running all spybot, spyblaster, stinger, adaware,
norton antrivirus, zone alarm firewalls etc my internet explorer continues to open
up at will (by itself) when the system is in idle at the following address http://best.globosearch.com/.
On Friday, December 3, 2004 at 3:51 pm, Yap wrote:
>run spybot -> Mode -> Advanced Mode -> Expand Spybot S&D at the left pane -> point
>to immunize -> check mark "enable permanent blocking of bad adresses in IE" -> click
>on green + sign to immunize -> expand Tools at the left pane -> point to Hosts file
>-> click on green + sign to Add spybot S&D hosts list... thats all
>dont forget to update spybot and spyware blaster religiously :)
>btw: the hijackthis log seem to be clear again now
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 1:20 am
Posted by Yap
(4094 messages posted)
wow a persistent one are you sure rainbow nothing is wrong with rainbow...
because AboutBuster should remove even the very hidden application
all of the spyware i suggest you is to prevent they come but except spybot could
not remove already installed spyware...
also have you tried to run Ad-aware and spybot in safemode? as the procedure i've
given? the procedure need to be run from the first to the end... and in your case
need to run one more tool.. AboutBuster
I almost believe this item already back in the system
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
also don't forget every removal operation always need clean all temp, temporary internet
files, recycle bin and turn off system restore before
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 3:18 am
Posted by Seth
(50 messages posted)
When I run the latest aboutbuster i get this error message: the instruction at "0x0263363a"
referenced memory at "0x00000010". The memory could not be read" Click OK to terminate
the program. After pressing OK the same message appears except different numbers
and letters.
On Saturday, December 4, 2004 at 1:20 am, Yap wrote:
>wow a persistent one are you sure rainbow nothing is wrong with rainbow...
>because AboutBuster should remove even the very hidden application
>all of the spyware i suggest you is to prevent they come but except spybot could
>not remove already installed spyware...
>also have you tried to run Ad-aware and spybot in safemode? as the procedure i've
>given? the procedure need to be run from the first to the end... and in your case
>need to run one more tool.. AboutBuster
>I almost believe this item already back in the system
>R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
>also don't forget every removal operation always need clean all temp, temporary
internet
>files, recycle bin and turn off system restore before
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 3:27 am
Posted by Yap
(4094 messages posted)
Ok...
download xfind
extract all to C:\windows\system32\
then Start -> run -> cmd -> type in : xfind "jujriohy8oen"
C:\*.* /s
this is not a malware removal tool but a powerfull search tool...
the idea is not to really find something so i just type a gibberish like
"jujriohy8oen" above
when xfind found file/s that don't allowed it to retrieve it will give us a
report what is the file name and where is it live...
print it if necessary... then use
recovery console to delete or rename the file/s
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 2:16 pm
Posted by Seth
(50 messages posted)
When I run the file in the start menu (xfind "jujriohy8oen" C:\*.* /s) a dos window
opens and closes immediately. I ran it a couple of times. Where should I locate the
report?
On Saturday, December 4, 2004 at 3:27 am, Yap wrote:
> Ok...
>download xfind
>extract all to C:\windows\system32\
>then Start -> run -> cmd -> type in : xfind "jujriohy8oen"
>C:\*.* /s
>this is not a malware removal tool but a powerfull search tool...
>the idea is not to really find something so i just type a gibberish like
>"jujriohy8oen" above
>when xfind found file/s that don't allowed it to retrieve it will give us a
>report what is the file name and where is it live...
>print it if necessary... then use
>
>recovery console to delete or rename the file/s
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 2:53 pm
Posted by Yap
(4094 messages posted)
Start -> Run -> Cmd...
mean you run command prompt first then type xfind "jujriohy8oen"
C:\*.* /s command in the command prompt window.
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 2:56 pm
Posted by Yap
(4094 messages posted)
if you have minimum knowledge about windows operation (registry edit...command prompt...recovery
console etc) it is too danger to do it your self... please let some one else do it
for you
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 4:24 pm
Posted by Seth
(50 messages posted)
I have moderate knowledge. Yes I did run xfind "jujriohy8oen" C:\*.* /s in the cmd
prompt. I was just looking for the log it would generate as the dos window opens
and closes almost immediately.
I am curious, with this web page http://best.globosearch.com opening up my browser
automatically and subsequently directing my browser to the web site, why is there
no information anywhere on the net about it!
On Saturday, December 4, 2004 at 2:56 pm, Yap wrote:
>if you have minimum knowledge about windows operation (registry edit...command prompt...recovery
>console etc) it is too danger to do it your self... please let some one else do
it
>for you
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 5:28 pm
Posted by Yap
(4094 messages posted)
the name is not important anymore lately... they change and mutate
everyday to anyname and could be not yet documented...
globosearch is relatively new so hard to find it's documentation
just make sure extract the content of Find23.zip into C:\windows\system32\ Not C:\windows\system32\Find23\...
Also move AboutBuster.exe and reflist.dll to C:\windows\system32\
restart windows ... hit F8 before windows start then boot into "safe mode with command
prompt"
1. Try to run updated Ad-aware in this mode
2. Run Stinger in this mode
3. In the command window type AboutBuster.exe
4. Try again to run xfind "jujriohy8oen" C:\*.* /s
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 7:07 pm
Posted by Yap
(4094 messages posted)
sorry the step #4 only worth to be run in normal mode
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 9:19 pm
Posted by Seth
(50 messages posted)
Done it all. As I was doing step 4 the damn browser opened to the problem website
=(. Here is a link to the only other person I can find having the same problem (under
topic number 98). http://translate.google.com/translate?hl=en&sl=de&u=http://www.trojaner-board.de/archive/index.php/f-20.html&prev=/search%3Fq%3Dglobosearch%2Bvirus%26hl%3Den%26lr%3D.
I am at a loss as to what can be done.
On Saturday, December 4, 2004 at 7:07 pm, Yap wrote:
>sorry the step #4 only worth to be run in normal mode
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 10:16 pm
Posted by Yap
(4094 messages posted)
ive read that also...
but this is really weired when you try to execute xfind within command prompt IE
browser start?
is the operation of xfind work or not? it need long time process... you should wait
until it finished the job
Ok now try this...
copy from your xp cd in it's I386 folder a file name command.co_ then paste it to
desktop... change the file extension so the file name become command.cab... extract
the file to C:\windows\system32\...
then download http://www.dougknox.com/xp/fileassoc/xp_com_fix.zip
extract and double click on the reg file to merge it into registry...
then try again...
Start -> Run -> type in: command.com -> type in command prompt
window : xfind "jujriohy8oen" C:\*.* /s -> hit enter
hope this time works
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Saturday, December 4, 2004 at 11:20 pm
Posted by Seth
(50 messages posted)
The browser opening was more coincidental than anything else as it opens periodically
all day long. I tried the command prompt after adding registry matter and get this
C:\pagefile.sys +++ file read error after running xfind "jujriohy8oen" C:\*.* /s.
On Saturday, December 4, 2004 at 10:16 pm, Yap wrote:
>ive read that also...
>but this is really weired when you try to execute xfind within command prompt IE
>browser start?
>is the operation of xfind work or not? it need long time process... you should wait
>until it finished the job
>Ok now try this...
>copy from your xp cd in it's I386 folder a file name command.co_ then paste it to
>desktop... change the file extension so the file name become command.cab... extract
>the file to C:\windows\system32\...
>then download http://www.dougknox.com/xp/fileassoc/xp_com_fix.zip
>extract and double click on the reg file to merge it into registry...
>then try again...
>Start -> Run -> type in: command.com -> type in command prompt
>window : xfind "jujriohy8oen" C:\*.* /s -> hit enter
>hope this time works
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Sunday, December 5, 2004 at 2:00 am
Posted by Seth
(50 messages posted)
I have found four other websites where people have the same problem as me however,
no solution as yet. I hope there will be a fix!
On Saturday, December 4, 2004 at 11:20 pm, Seth wrote:
>The browser opening was more coincidental than anything else as it opens periodically
>all day long. I tried the command prompt after adding registry matter and get this
>C:\pagefile.sys +++ file read error after running xfind "jujriohy8oen" C:\*.* /s.
>
>
>
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Sunday, December 5, 2004 at 2:03 am
Posted by Yap
(4094 messages posted)
that indicated nothing wrong was found
could you run AboutBuster in normal mode now ?
after AboutBuster... run hijackthis one more time let me see the rest of the
problem
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Sunday, December 5, 2004 at 2:19 am
Posted by Ms. Eagle
(33507 messages posted)
You've had your Winsock settings hijacked, so that's what needs to be fixed yet.
This is a Winsock hijacker: O10 - Unknown file in Winsock LSP.
Download and run LSPFix. Remove this file only: gapsp.dll You'll need to answer
YES you know what you're doing. Direct download:
LSPFIX.ZIP
The download is from this page: LSPFIX.ZIP
LSPFIX (Winsock2 repair utility) - Screenshot
I'd fix these entries in HJT also:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
Dealing with Unwanted Spyware and Parasites
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Sunday, December 5, 2004 at 11:12 pm
Posted by Seth
(50 messages posted)
I have done as requested with LSPfix. I will keep thread posted as to how this went.
Here is copy of my HJT log. Logfile of HijackThis v1.98.2
Scan saved at 6:12:58 PM, on 6/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DkLog.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\dkcktkn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BPALogin\BPALogin.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dr Gothic\Desktop\Downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C}
- C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program
Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000
Series Software\DkAutoReg.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series
Software\DkStartup.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe"
/r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee
Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BPALogin.lnk = C:\Program Files\BPALogin\BPALogin.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN
Client\ipsecdialer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.telstra.com/java/cr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093177363265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
On Sunday, December 5, 2004 at 2:19 am, Carol J wrote:
>
>You've had your Winsock settings hijacked, so that's what needs to be fixed yet.
>This is a Winsock hijacker: O10 - Unknown file in Winsock LSP.
>
>Download and run LSPFix. Remove this file only: gapsp.dll You'll need to
answer
>YES you know what you're doing. Direct download:
>color="CC00FF">
>LSPFIX.ZIP
>The download is from this page:
>color="CC00FF">LSPFIX.ZIP
>color="CC00FF">
>LSPFIX (Winsock2 repair utility) - Screenshot
>
>I'd fix these entries in HJT also:
>
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
>O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
>- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
>O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
>
>
>
>color="CC00FF">
>Dealing with Unwanted Spyware and Parasites
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, December 6, 2004 at 1:05 am
Posted by Seth
(50 messages posted)
I have done what Carol J has mentioned to do. AboutBuster found nothing. HJT log
posted in response to Carol J. After two and a half hours of no pop, just now my
browser started and opend up the following page http://best.globosearch.com.
The problem still exists. =(
On Sunday, December 5, 2004 at 2:03 am, Yap wrote:
>that indicated nothing wrong was found
>could you run AboutBuster in normal mode now ?
>after AboutBuster... run hijackthis one more time let me see the rest of the
>problem
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, December 6, 2004 at 1:13 am
Posted by Seth
(50 messages posted)
After completing all associated tasks, running Spybot, spyblaster, zone alarm & norton
constantly my browser still managed to start itself and open up the following page
http://best.globosearch.com.
The problem still exists. =(
On Sunday, December 5, 2004 at 2:19 am, Carol J wrote:
>
>You've had your Winsock settings hijacked, so that's what needs to be fixed yet.
>This is a Winsock hijacker: O10 - Unknown file in Winsock LSP.
>
>Download and run LSPFix. Remove this file only: gapsp.dll You'll need to
answer
>YES you know what you're doing. Direct download:
>color="CC00FF">
>LSPFIX.ZIP
>The download is from this page:
>color="CC00FF">LSPFIX.ZIP
>color="CC00FF">
>LSPFIX (Winsock2 repair utility) - Screenshot
>
>I'd fix these entries in HJT also:
>
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
>O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
>- http://ppupdates.ca.com/downloads/scanner/axscanner.cab
>O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
>
>
>
>color="CC00FF">
>Dealing with Unwanted Spyware and Parasites
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, December 6, 2004 at 3:12 am
Posted by Yap
(4094 messages posted)
run msconfig -> startup tab -> uncheck ...
C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe
and
C:\Program Files\Rainbow Technologies\iKey 2000 Series
Software\DkStartup.exe
Ok
this will temporary disable all Rainbow Service
just let see the globosearch come back or not... this is the way to proff that Rainbow
is clean.
[Reply or follow-up to this message]
|
re: Spyware & IE problems
Monday, December 6, 2004 at 7:30 am
Posted by Ms. Eagle
(33507 messages posted)
Seth, this is strange. There's nothing in your log that indicates a hijacking, now
that you've fixed those Winsock entries. I'd give this new, highly recommended, program
a run, A˛:
a-squared free
You've been at this for days, so If the problem still exists, I suggest registering
on a malware support forum, so the experts can help resolve this. We're not malware
experts. Let them know about these entries, and that you ran the LSPFix.
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
"Announcement: **Before You Post, Read-Follow These Rules and Guidelines"
ComputerCops forums
SpywareWarrior forums
In the meantime, clear out ALL your temp folders. Go into Internet Options - delete
TIF and choose 'delete all Offline content'. Empty C:\Windows\temp folder and C:\temp
folder, if you have one. XP-> C:\Documents and Settings\username\Local Settings\Temp
(for all users). Empty Recycle Bin.
Additionally, download this .reg file to your Desktop. Double-click on it and answer
Yes, to merge into your registry. It will restore all the default Search settings
for IE.
SpywareInfo- IEFIX.reg
Dealing with Unwanted Spyware and Parasites
[Reply or follow-up to this message]
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows XP Discussion Forum
|
|
|
|
