MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: stubborn spyware
September 21, 2019, 01:01:57 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 21, 2019, 01:01:57 AM

Login with username, password and session length
 
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: stubborn spyware  (Read 8489 times)
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« on: September 08, 2004, 03:13:10 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP
Problem Application Name & Version:
Problem Hardware Make & Model: HP 1.4 Ghz
Error Messages:



THis is for Benditup...

Benditup,

I have a stubborn spyware problem.

Spybot scans clean and so does Adaware.  BUt Norton is still finding stuff but is not able to remove them.  And there is a program called Bazooka that is finding the following threats:
PGSTUB, PROMULGATE, PROMULGATE.pcsvc, ShopAtHomeSelect(i.e. GoldenRetriever), TvMedia.tvmbho, WebSavings).

I have used the manual instructions to clean the machine of these (both registry entries and program/directories).  All instructions seem to work except the TVMedia one... I can watch it reappear in the registry after I wipe out the value as instructed by the removal instructions and the programs can not be deleted.  But, then, when I run the Bazooka tool again, all of them are still reported... although the TVMedia is the only thing that remains in the registry6 and the directories.

Here is the HiJackThis log.  I was hoping to see the stuff disapear from the HiJackThis log as I cleaned the machine of these items using the uninstall instructions.  But, I'm frustrated with it now.  Can you give me a hand finishing the cleaning?

Logfile of HijackThis v1.98.0
Scan saved at 10:52:32 PM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Utilities\HiJackThis1.98\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat 1.3 - http://jcs.chat.dcn.yahoo.com/c174/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/upload/XUpload.ocx
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

Thanks,
Jeff
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: September 08, 2004, 03:36:21 AM »

Hi Jeff
Close your browser window,run hjt in safe mode and fix these items.Any files/folders that I have highlighted  will also need to be removed from your hard drive as well as the log.   Make sure to have your system set to show hidden files and folders..  www.xtra.co.nz/help/0,,4155-1916458,00.html .Post a new log when finished....

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
Logged

An Australian Member of

EDDY
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #2 on: September 08, 2004, 04:32:39 AM »

Pancake,  I can not delete the files in the TV Media and zSearch directories can I until I have gotten rid of the "HKCU\..\Run" keys in the log too can I?  Please advise...

And this guy LOVES that Yahoo Companion thing.  Does that affect your desire to delete those "R" entries?


Thanks,
Jeff
« Last Edit: September 08, 2004, 04:34:32 AM by jeffcox » Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: September 08, 2004, 04:41:02 AM »

You can keep yahoo.Just see if you can get rid of the TVMedia folder.
Logged

An Australian Member of

EDDY
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #4 on: September 08, 2004, 04:43:15 AM »

Do you agree with me that I should get rid of the "HKCU\..\Run" stuff too?

Sorry to be a pest...

Jeff
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: September 08, 2004, 05:47:55 AM »

Yes carry on...
Logged

An Australian Member of

EDDY
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #6 on: September 09, 2004, 02:10:23 AM »

OK.  I have followed your instructions and am now free of the TvMedia plague.  I scanned with Bazooka again and am now down to one single threat reported from that program... "ShopAtHomeSelect".  I have been scanning with Norton in safe mode to try to find if any of that stuff has disappeared and I still have a bunch of stuff the Norton reports and that Norton can not remove (even in safe mode).  I have attached a "rtf" file (in a ZIP file called norton2.rtf) of screen prints to show you what Norton is complaining about.  Note: The screen prints came out lousy... you'll see what I mean... but the information is there.  This IS THE TOUGHEST PC I've ever encountered...

I'm real close to finishing up on my friend's PC but I am really concerned about Norton's behavior.  

Download Attachment: norton2.zip 137.98 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: September 09, 2004, 02:20:53 AM »

Hi jeff, I have a feeling that these 2 posts are related
http://www.mytechsupport.ca/index.php?option=com_smf&Itemid=42&topic=5022
Logged

 
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #8 on: September 09, 2004, 02:25:44 AM »

What a dumb-bell... I forgot to give to guys the latest HiJackTHis Log...

Logfile of HijackThis v1.98.0
Scan saved at 9:48:15 PM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\Program Files\Bazooka Spyware Scanner\spywarescanner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Utilities\HiJackThis1.98\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat 1.3 - http://jcs.chat.dcn.yahoo.com/c174/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/upload/XUpload.ocx
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

Logged

 
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #9 on: September 09, 2004, 02:29:47 AM »

Yes Benditup.  The two open posts are for the same computer.  I really saw the Spybot S&D being someting that, if we found something, it shouldn't be buried in a larger post that no one would bother to read.

Thanks,
Jeff
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: September 09, 2004, 03:07:16 AM »

Just out of curiousity
Have you Restarted into Safe Mode
Looked in the Add/Remove Programs for ShopatHome
Possibly WEBHANCER and NCASE and KeenValue for Removal

Just to be on the safe side you should
download WinSock Fix
http://www.spychecker.com/program/winsockxpfix.html
Just in case you lose Internet Connectivity

By the way, the latest Hijackthis is 1.98.2

If everything works out for you
I would remove those Red Clientapps entries that Pancake suggested for removal, you can leave this one
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

Remember that hijackthis makes backups and they can be Restored if needed

The RedClientapps aren't a big threat but they it may be associated with RedSheriff spyware
« Last Edit: September 09, 2004, 03:11:30 AM by benditup » Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: September 09, 2004, 03:11:08 AM »

Apart from the Yahoo, the log loks ok.
Logged

An Australian Member of

EDDY
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #12 on: September 09, 2004, 03:41:10 AM »

1) I looked at this machine before I started my cleaning and recognized that they had a LOT of malware packages that I could take out with Add/Remove programs.  Therefore, that's where I started.  I must have taken out 15 packages of stuff, in its entirety, that I suspected the automated tools would have left behind a lot of "orphaned" stuff after ridding the computer of the "threatening" files.  So, after seeing this family's surfing habits, (it looks like they'd download anything that looks cool and is "free"), I opted to clean the computer as much as possible with Add/remove programs functionality before I turned the automated tools loose on it.  In retrospect, I think this was a wise decision.  By the way, WEBHANCER was "removed" that way even though Norton says there are still pieces of it out there!

And one uninstaller ran indefinitely... it was called "WebSearch".  After more than an hour, I had to kill it.  The automated scanners said they removed it but Norton says there are still pieces of it out there too.

2) Yes the log looks CLEAN but the machine ain't clean.  The boot up is taking over 2 minutes (much better than when I started, longer ten 10 minutes).  I need to get that bootup time down so that I can put on a good firewall without putting the bootup back up to 3 minutes or better.  (I'm using the Microsoft firewall for XP until I resolve this issue.)  They bought that Norton 2004 package and it is costing a full minute to come into "automated" mode after it appears in the task bar.  Also, the PC is still very sluggish for a 1.4 Ghz machine after it is fully booted up (especially the Internet access).

3) I told Pancake that this gentleman asked me to "work around" the YAHOO Companion s/w that he is using.  That's why I avoided Pancake's recommendation.  Maybe I'll kill those entries that she suggested and let the cards fall as they may.  We can always reinstall it I guess.

4) I found the average "Recycle Bin" on this machine but I also fould a directory called "RECYCLER".  Is this legitimate?  Some of what Norton is finding is lodged in that puppy.

5) And then there's "ShopAtHomeSelect"... what can be done about that &*^%$#?

Thanks,
Jeff  
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #13 on: September 09, 2004, 03:46:43 AM »

Adaware and Spybot should fix most of this stuff...
Logged

An Australian Member of

EDDY
jeffcox
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 97


Bookmark and Share

View Profile
« Reply #14 on: September 09, 2004, 03:51:19 AM »

Ad-Aware and Spybot are reporting clean logs.  Both have the latest updates!  (I know what you're thinking Pancake... I'd think the same...)

Ad-Aware gives me a couple of tracking cookies and that's it.

Spybot was whining about "SearchForIt" and "DSO Exploit" so I told it to quit reporting those.

thanks,
Jeff
Logged

 
Pages: [1] 2 3 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 24, 2017, 01:01:57 PM