Aaaaaaaagh spyware...

  The Belarussian Mafia 23:38 11 Dec 2004
Locked

Spybot & Adaware (not to mention Norton A-V) have always sorted out any nasties invidiously sojourning on my HDD. This time not even the above running in safe mode can shift the beast. I gave up a couple of weeks ago and, but maybe somebody here has an answer.

The problem may have started when I clicked to reply to a piece of spam purporting to come from ebay. I don't normally click on spam, but this really had the look of authenticity.

The problem: an unsolicited website often pops up behind my open browser. For a while it just listed links to various commercial websites, but when when I noticed links to very dodgy chatrooms I decided enough was enough (esp. as the kids have access). I came up with a temporary solution (right-clicking in the window to get the offending address, then putting this in IE's Internet Options / Content Advisor / Settings / Disapproved websites) but this just means the window pops up blank. How can I clear the thing once and for all?

Someday someone out there will come up with a programme that sends something really nasty back to these sites, a la Lycos. I for one will pay good money for it...

  VoG II 23:47 11 Dec 2004

Please post a HJT log click here

You may need to post in "chunks" because of the 800 word limit here.

Also, please double-space by adding a blank line every other line.

  The Belarussian Mafia 23:56 11 Dec 2004

Nice link VoG™. I've left this till too near bed-time: I'll download the file & read the instructions in the morning. Thanks very much.

  CurlyWhirly 16:39 12 Dec 2004

BUMP as I am interested in following the progress of this thread!

  The Belarussian Mafia 17:19 12 Dec 2004

Sorry VoG™ and CurlyWhirly. It will be tomorrow morning now.

  CurlyWhirly 17:21 12 Dec 2004

No need to apologise! Merry xmas.

  The Belarussian Mafia 14:16 13 Dec 2004

Logfile of HijackThis v1.98.2
Scan saved at 13:58:05, on 13/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\NVSVC.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

E:\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

E:\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

E:\ZONEALARM\ZLCLIENT.EXE

E:\ADAPTEC DIRECT CD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

E:\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\RUNDLL32.EXE

E:\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE

E:\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

E:\Norton SystemWorks\Norton CleanSweep\Monwow.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

E:\HIJACKTHIS\HIJACKTHIS.EXE

  The Belarussian Mafia 14:20 13 Dec 2004

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here

F1 - win.ini: run=hpfsched

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: No description - {60261C06-81B0-4DE0-9313-E5BA203A64E9} - C:\WINDOWS\DOWNLO~1\PDFMGR.DLL

O2 - BHO: 1096965910 - {262277EC-5BB5-4849-8BF2-1824330C9CAC} - (no file)

O2 - BHO: No description - {6375B3AD-4440-4C1F-95E5-A24198ED671C} - C:\WINDOWS\DOWNLO~1\SP1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [ScanRegistry]

C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Zone Labs Client] E:\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] e:\ADAPTE~1\DIRECTCD.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [NAV Agent] E:\NORTON~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [NPROTECT] E:\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [CSINJECT.EXE] E:\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE

O4 - HKLM\..\RunServices: [NPROTECT] E:\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

  The Belarussian Mafia 14:22 13 Dec 2004

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = E:\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE

O4 - Startup: Acrobat Assistant.lnk = E:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: e-Backup 1.42 Scheduler.lnk = E:\Inachis\e-Backup 1.42\eBackup.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - click here

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - click here

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - click here

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - click here

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - click here

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - click here

  Como2 16:03 13 Dec 2004

You may have to be patient one of the spyware hunters will post back possibly tonight

  The Belarussian Mafia 17:55 13 Dec 2004

No worries...

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

Turn a photo into 16-bit pixel art

iMac Pro release date, UK price & specs

Football : comment regarder la Ligue 1 en direct ?