[Imyourzero]

Quote:

Originally Posted by Wodgy Laziness works both ways. You're a very sophisticated computer user, and yet you got spyware by using IE. IE just takes more skill to stay safe than even a very above-average user like yourself has. As long as you keep using IE, in all likelihood you'll have to go through all of this again sometime in the future. Sounds like IE is the browser that requires more effort, both in terms of prevention and in terms of recovery. Also, the "hundreds of plugins" thing sounds like your laziness talking. I can't think of a single feature that IE has except MHTML support that isn't in the default Firefox install. The converse, however, is not true. There are plenty of Firefox features that have no equivalent in the default IE install.

That's what I was thinking too, Wodgy.

 

[kramer5150]

Quote:

Originally Posted by MisterX Try Trend's free spyware tool http://www.trendmicro.com/spyware-scan/ I found it works a little better then Ad-aware does.

THANKS!!!

just ran it and it found some things that spybot didnt

.

thanks
Garrett

 

[Aman]

Edwood:

Man, this is what happens when you use Microsoft products! The least you could have done was to use Firefox. The plugins are there for your convenience, not annoyance. They are there to assure that you install ONLY WHAT YOU WANT.

And they are easy to manage too - I recommend next time, if you happen to wipe this installation - to only use IE for one thing: To download Firefox.

 

[crazyfrenchman27]

Do what I did when my system jumped the shark:

Say "To H*ll with it!" and reformat your hard drive. Come on, you know you want to!

That ought to get the bastards!

...then become a penitent Firefox user....

And all will be well with the world.

-Matt

 

[Edwood]

Is there a one stop place to download all the Mozilla Firefox plug in's I'll need to not have to use IE?

I remember Firefox causing problems in the past for me, like with eBay, etc.

Unfortunately, I have no choice but to use Microsoft products as I use Adobe Photoshop and Corel Painter. And this is because I'm not going to switch to a Mac. So no Linux for me.

Fortunately for me, I don't surf with my main workstation, I have a dedicated computer for surfing (the one that is infested). So it's a PITA, but I'm going to have to do a clean install. I keep important data on another computer, my file server, and files on my surfing computer are on another partition and hard drive.

Do any Spyware survive on other partitions or HDD's after a clean install of Windows?

-Ed

 

[akwok]

The best thing you can do is run HijackThis and post a log up here (or PM it to me).

Surefire killer of all spyware, .

 

[MisterX]

Quote:

Do any Spyware survive on other partitions or HDD's after a clean install of Windows?

Nope, there are a few exceptions but anitvirus software should be able to find those before you ever get that far.

Bookedspace info--------->
http://www.spywareguide.com/product_show.php?id=699
VX2 info------------->
http://www.spywareguide.com/product_show.php?id=25

 

[Edwood]

Quote:

Originally Posted by ayt999 how about using HiJackThis?

OK, I tried HiJackThis.

Anyone make sense of this log?

Quote:

Originally Posted by HiJackThis Logfile of HijackThis v1.99.1 Scan saved at 1:47:53 AM, on 7/18/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\Tablet.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\MsPMSPSv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINNT\system32\CTHELPER.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe C:\WINNT\system32\digi96.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\WINNT\system32\WTablet\TabUserW.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINNT\explorer.exe F:\Programs\Mozilla Firefox\firefox.exe F:\Downloads\Adaware\hijackthis\HijackThis.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsv14.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0 O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [RMETray] digi96.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0029.exe O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

These guys look suspicious.

O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe


-Ed

 

[eyeteeth]

x

 

[eyeteeth]

x

 

[MisterX]

PSof1.exe is spyware.
exp.exe is part of a trojan.
cfgmgr52.dll is bookedpsace dll

 

[MisterX]

Not done yet....
Wintask.exe is a process which is registered as the W32.Navidad.16896 (Symantec) worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment.

I hate to say it but you might want to format after that one cause it's a bit*h to get off your system once it has done it's thing

BTW richup.exe is also spyware.

 

[Edwood]

OK, got rid of all those.

Also got rid of a couple of useless processes. There is an ATi one that is a total waste, it's the Hot Key's one.

Format?

Does that mean format my entire hard drive? Including all partitions? Other drives too?

Wintask.exe looks suspicious, but I haven't had any of those smiley face thingy's that worm is supposed to cause. Probably because I don't use Outlook.

I got rid of it anways.

Well, I'm going to reboot and see if anything pops up again.

-Ed

 

[Edwood]

O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll

There's another one to zap.

-Ed

 

[MisterX]

Quote:

Format?

Format only works for logical drives so that rules out erasing your partitions with it.

Quote:

Wintask.exe looks suspicious, but I haven't had any of those smiley face thingy's that worm is supposed to cause. Probably because I don't use Outlook.

Good point.
I should have said IF W32.Navidad.16896 (Symantec) worm had done it's thing... there is a carefull distinction between the two.

More stuff you can kill from the startup folder:
UpdReg.EXE, Creative's useless registration tool
CTDVDDet.EXE, It automatically detect and plays DVDs with Creatives software.
CTHELPER.EXE, useless now that WinDVD has has an audio driver that works
qttask.exe, annoying system tray icon for Quicktime that doesn't really do anything.
osa.exe Office startup assistant. It does help with some networking commands but as a whole it is pretty useless.