• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mbressman

AOL Spyware Search Questions

4 posts in this topic

Hi,

 

On my primary computer (Dell Inspiron 8200 P4-2 GHz running Windows XP Pro SP1), I tend to be very careful of what I download and allow to run, as I don't want to be infected or contaminated with any viruses, spyware, adware, or anything else that could put that computer or its contents at risk. I recently upgrade to AOL 9.0 SE and apparently it came with a spyware checker. For whatever reason, the AOL spyware checker defaulted to a scan every Thursday at around 6:47 PM or so. The scan started yesterday, and I decided it couldn't hurt to let it finish (while I went to play some golf ;) ). Upon returning to my computer, I was dismayed to find that it had picked up 3 possible spyware programs: Alexa (labeled Surveillance Software by AOL), Diablo Keys (labeled Keylogger by AOL), and SaveNow (labeled Adware, Drive by Download, and Surveillance Software by AOL). Unfortunately (although not very surprising) the scan program doesn't provide any further information about the location of the suspected spyware or specific information about it, but simply gives the option of blocking its ability to run or allowing it. I figured this would be a good point to go a bit in-depth to make sure I wasn't infected with anything, so I downloaded and ran Spybot. Even more surprising was that Spybot came back with a bunch of possible spyware detections, including a ton of cookie ones, an Alexa related one (C:\windows\web\related.htm), a registry one involving All-In-One Telecom, and 5 possible DSO Exploits in the registry.

 

At this point, I'm not really sure what to do. I"m a bit hesitant to let Spybot or AOL's Spyware program make any changes on my computer, but on the other hand, I don't want to leave myself vulnerable or infected. Also, from my brief research, it appears some of these aren't spyware at all (like the Alexa thing which looks like its a normal operation of the "show related links" function of IE or the DSO exploits which simply appear to be possible security holes...I'm very careful to keep my system upgraded with the latest Windows Updates, but am not to keen on installing patches that aren't put out by Microsoft).

 

Can someone provide some advice or help regarding the possible infections found by both AOL's Spyware Search and by SpyBot's search. I'd be more than happy to provide additional information (such as a copy of what SpyBot has found or a StartupList log). I'm also attaching the HijackThis log below in case it is necessary or useful (or in case there is even more stuff in there that is spyware that I'm not aware of or wasn't picked up in either of these searches). Thanks in advance for any and all help!!

 

 

HijackThis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:40:07 AM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Conversions Plus\FORMATM.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\PGPsdkServ.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\WFXSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Dell\AccessDirect\DadTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE

C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\System32\ctfmon.exe

C:\program files\microsoft ActiveSync\wcESCOMM.EXE

C:\WINDOWS\System32\RunDLL32.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe

C:\Program Files\PGtGM\POP Goes the Gmail.exe

C:\Program Files\Microsoft Office Shortcut Bar\Office10\msoffice.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\MSTSC.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft ActiveSync\WCESMgr.exe

C:\Program Files\Trillian\trillian.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Common Files\AOL\AOL Spyware Protection\ASP.exe

C:\WINDOWS\regedit.exe

C:\WINDOWS\System32\cmd.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Marc Bressman\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O1 - Hosts: 208.253.158.227 ROC16

O1 - Hosts: 208.253.158.228 ROC17

O1 - Hosts: 208.253.158.239 ROC47

O1 - Hosts: 208.253.158.240 ROC48

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe

O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [EPSON Stylus C64 Series on condor (from BRESSMANM1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P51 "EPSON Stylus C64 Series on condor (from BRESSMANM1)" /O5 "TS003" /M "Stylus C64"

O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"

O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\program files\microsoft ActiveSync\wcESCOMM.EXE"

O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office Shortcut Bar\Office10\OSA.EXE

O4 - Global Startup: PGPtray.lnk = ?

O4 - Global Startup: POP Goes the Gmail.lnk = C:\Program Files\PGtGM\POP Goes the Gmail.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm

O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm

O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm

O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm

O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm

O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm

O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)

O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O9 - Extra button: Offline (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe

O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/...eAutoLaunch.ocx

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://127.0.0.1/tsweb/msrdp.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7645.8677314815

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab

Share this post


Link to post
Share on other sites

As a follow-up, I manually attempted to remove all the cookies found by Spybot via the C:\documents and settings\<username>\local settings\temporary internet files\ folder since I figured that deleting cookies really couldn't do me any harm. I was able to find and remove almost all of them, except for the following which I could not seem to locate:

 

SpyHunter popups

Cookie:<my name>@www.enigmasoftwaregroup.com/affiliate5/ ()

 

WebTrends live

Cookie:<my name>@statse.webtrendslive.com/dcs50w0haerp17368wkcsn8pc_6z4i ()

Cookie:<my name>@statse.webtrendslive.com/S139232 ()

Cookie:<my name>@statse.webtrendslive.com/S130376 ()

Cookie:<my name>@statse.webtrendslive.com/dcsi8dupuerp17vzhd59b2lwc_8u5u ()

Cookie:<my name>@statse.webtrendslive.com/S0012-01-1-7-217494-47679 ()

Cookie:<my name>@statse.webtrendslive.com/dcs0a6c5z01e5he4q2xtr8sax_8v9e ()

Cookie:<my name>@statse.webtrendslive.com/S0014-01-2-16-217494-54117 ()

Cookie:<my name>@statse.webtrendslive.com/dcsxx9nthdrp17fja823qwk9f-9k9t ()

Cookie:<my name>@statse.webtrendslive.com/dcskqeg2voifwznnd6alhtnei_8f3u ()

Cookie:<my name>@statse.webtrendslive.com/dcscws67x11e5he8tnywaihz2_7g7r ()

Cookie:<my name>@statse.webtrendslive.com/S111609 ()

Cookie:<my name>@statse.webtrendslive.com/S119702 ()

 

Any ideas why I couldn't find these and yet why Spybot is still picking them up??

 

Thanks!

Share this post


Link to post
Share on other sites

Hi,

 

I'm not sure what else to do at this point? I've read the FAQ, done a lot of research, and at this point would have posted in that topic for posts that haven't been answered after 3 days, but it seems to have been locked. Can anyone help me at all? Thanks!!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0