• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
talubuka

Very elusive spyware, please help

12 posts in this topic

I have spyware on my computer that my fully updated anti-virus software, spybot or adaware cannot detect.

 

When I am on the internet, a pop-up appears down in the start tray when I go to a new page. As soon as the page loads, it disapears. I have clicked on it to see what it is but nothing pops up. I have looked in internet explorer history and this is what the pop-up is called:

 

~close~

http://xlime.offeroptimizer.com/close.html

 

Whatever it is, it keeps tring to place tracking cookies on my computer, even as I type here I am getting messages that Spybot has blocked the download of Avenue A.

 

I'd love some help getting rid of this! Here is my Hijack this log:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:58:28 PM, on 19/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\O2Micro\AudioDJ\o2cd.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\System32\sistray.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AnalogX\CookieWall\cookie.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Washer\washer.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\User\Local Settings\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optusnet.com.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [Microsoft Cvrt] mscvrt32.exe

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\User\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [smr] C:\WINDOWS\System32\smr.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe

O4 - HKLM\..\Run: [daz] C:\WINDOWS\daz.exe

O4 - HKLM\..\RunServices: [Microsoft Cvrt] mscvrt32.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7593.7532523148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

 

Please keep an eye on this message for a resolution shortly.

Share this post


Link to post
Share on other sites

Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files aailable in the event that they are needed.

 

We need to remove a program called “Twain-Tec”. To do this, first you need to disable System restore as per the instructions at http://www.pchell.com/virus/systemrestore.shtml. Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:

Go to "Add/Remove Programs", Uninstall Twain-Tech.

 

Close all programs and windows, run HijackThis and delete:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll

O4 - HKLM\..\Run: [Microsoft Cvrt] mscvrt32.exe

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\User\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck

O4 - HKLM\..\Run: [smr] C:\WINDOWS\System32\smr.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [daz] C:\WINDOWS\daz.exe

O4 - HKLM\..\RunServices: [Microsoft Cvrt] mscvrt32.exe

 

The following are resource hogs and are optional to delete:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):

  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files [/color](all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • twaintech.dll <= If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.
  • twaintec.ini
  • C:\WINDOWS\System32\smr.exe
  • C:\WINDOWS\alchem.exe
  • mscvrt32.exe <= You will need to do a search for this file - DO NOT mistake it for the legitimate .dll file.

Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Ok, I managed to do all what you said, except for removing C:\WINDOWS\System32\smr.exe

and

mscvrt.exe

 

I did a search for both but couldn't find them anywhere. Anyway, here is my new hijack this log. By the way, I really appreciate the help :lol:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:29:18 PM, on 20/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\O2Micro\AudioDJ\o2cd.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\System32\sistray.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AnalogX\CookieWall\cookie.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Washer\washer.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\User\Local Settings\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optusnet.com.au/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7593.7532523148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Your log is looking pretty good :)

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

More info and download is available at:

Spywareblaster

Spywareguard

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

 

More info and download is available at:

IE/Spyad

 

On a regular basis - Use Ad-Aware to check your system for any and all infections => How to use Ad-Aware to remove Spyware

 

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites

Thanks heaps!

 

Actually, last night, after making my last post, I ran Spybot and it picked up nothing. Then I went into adaware and thought that I had better update it as I hadn't done that since I had downloaded it. When it had updated it, I ran it and it picked up no less than 50 items! There were files and even 2 folders and a dialer program!!! I've NO idea how that got on there! Well I fixed them all and ran adaware again this morning and it's all clean now, hopefully it stays that way!

Share this post


Link to post
Share on other sites

Depending on how much you browse the internet - You should run those at least once a week. This "Stuff" will always find its way back - unfortunately.

Share this post


Link to post
Share on other sites

Ok, I think I am doing almost everything you can do to help protect your computer. I have Spybot, Adaware, Cookie Wall, Zonealarm firewall, CWshredder, Hijack This, ie spyad, Spyware Blaster and Spyware Guard, I have fully updated my anti-virus definitions and did the windows update thing, and also replaced microsoft java with that other java thing. Anything else I should have?

Share this post


Link to post
Share on other sites

Not sure whats happened, but I can't access my ISP's homepage. I get this error:

 

java.lang.NullPointerException

 

It must have something to do with when I replaced the java thing with the other one. I don't know how it happened as I followed the instructions the web-site gave me. I really need to view the website (www.optusnet.com.au) as it has how much of our download limit we have used.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0