Spyware Warrior

johnprice · Posted: Wed Mar 23, 2005 4:09 am Post subject: Infected or not?

Greetings, I'm quite new at this. I recently obtained a trial version of Spyware Doctor and it told me I had Zestyfind, and of course asked me to purchase the full product to delete it. However, I also ran updated versions of Adaware, Spybot, the beta of Microsofts antispyware, and a trial version of XSOFTSPY and they showed nothing. I then tried downloading one or two trials of other products and they each pointed out one nastie or other that nothing else had found.

I'm probably just being paranoid because there are no symptoms that my computer is infected, but having looked around spywarewarrior I wonder if the HijackThis log will show anything to you good people. Many thanks for looking.

I'm running a fully updated XP SP2, and use Zonealarm (free version) and McAfee Virusscan.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:03, on 23/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Forcopy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.plus.net/index_nlp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.plus.net/index_nlp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

blender · Posted: Wed Mar 23, 2005 9:32 pm Post subject:

Hi johnprice and welcome

your log shows no indication of infection.

Spyware doctor results.....any chance it shows the file or registry path to its detected item?
If so....can you post here what it is please?
Possible it is a false positive.

I'm pretty confident if ad-aware, spybot, MS/AS show nothing then you are most likely clean.

Looks like you tried pest patrol?....one of the other products that show results?
They are known for several false positives.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

johnprice · Posted: Thu Mar 24, 2005 2:38 am Post subject:

Many thanks for the response (and the welcome).

The path was C:\documents and settings\john\local settings\temporary internet files\content.ie5\dv80g204\hbe(1).js

But the relevant "my temporary internet files" folder doesn't have any subfolders at all let alone "content.ie5" - and I do have it set to show hidden files and folders.

Yes Pest Patrol was another that I tried - and that drew a blank as well.

blender · Posted: Thu Mar 24, 2005 11:04 am Post subject:

Hi again John;

finding a path like that can be frustrating...

You can delete everything you see in temporary internet files folder

then....

Open Internet options in control panel
click "delete files", check to "delete offline content" and OK.
wait till hourglass stops.....

Run disk cleanup and have checked only:

Temporary internet files
Temporary files
Recycle bin

Then OK

Wait for hourglass to stop....and that file should be gone.

Disk cleanup...how to get there...

Start> programs> accessories> system tools> disk cleanup.

Or

Start> run> cleanmgr [enter]

The fact you have fair good protection and sp2 installed likely is reason why zestyfind didnt get installed. Thumb Up

LMK if that takes care of spyware Doctor detection.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

johnprice · Posted: Thu Mar 24, 2005 12:55 pm Post subject:

Cheers mate

For what it's worth I just ran Spyware Doctor again, and i t found nothing.

Closure here I think

thanks for the responses

blender · Posted: Thu Mar 24, 2005 2:10 pm Post subject:

Good to hear. Smile

Few future protection apps/tips I use to stay clean...:

You have done some of the following but never hurts to check.

IE-Spyad <--this puts several thousand sites in restricted zone for IE. If you happen on a site within its list they can't hijack you or install anything.
Program is free and updated about once a month.

Please follow readme instructions for install...it is a little different.

Single user XP PC use IE-Spyad1
Multi user XP PC use IE-Spyad2
All other OS use IE-Spyad1

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts more sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

Spywareguard This program watches for any changes to your home/search pages for IE. If something (including you) tries to make changes, you will be alerted with a popup giving you the option to keep change or revert to previous settings.
Install> update. It should prompt you to start the program
Takses little resorces and is also free.

Using a hosts file will greatly increase security. Many of those flashy annoying ads on websites will not display and it blocks access to thousands of sites entirely.

Info and how to install:

http://www.mvps.org/winhelp2002/hosts.htm

Keep a firewall running at all times. I use zone alarm. A free version can be downloaded here:

Free zone alarm

Remember to keep up with your windows updates including office.

Remember to keep your antivirus up to date.

Keeping all your security up to date

IE settings for increased security

Confused which antispyware is good or bad?

And finally...more security reading..: Protect your Computer

Happy surfing! Very Happy

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

johnprice · Posted: Fri Mar 25, 2005 2:36 am Post subject:

Thanks again - I already had a hosts file, Spywareblaster, and Zone Alarm in place - now added IE-SPYAD and Spyware Guard.

What are the views on Microsoft's Anti Spyware beta? I just ran it after the latest update to Adaware found a couple of cookies (but I didn't delete them straight away) - and it failed to report them.

It would be nice to have one piece of software that did all the work!