More persistent spyware

Hi - I hope someone out there has the patience to lend me their wisdom! I have just woken up to spyware, and hastily installed Skybot (last night!) and scanned to discover 170+ problems which I asked it to 'fix'. However, there were some problems dealing with the fixes - DSO Exploit and Retrieve are still detected, a message comes to tell me Retrieve cannot be removed but will be on re-booting (not true, unfortunately), and on next scan both appear again as problems to be removed. So I installed Ad-aware 6 (Lavasoft) which had loads of different 'finds', (not the above 2 miscreants), all removed and the repeat scans with Ad Aware show no problems remaining.

So what third spyware/adware cleaner can I download to fix these two problems, and in addition the Delfin project which is so firmly entrenched taht neither of the above 2 detected its presence? I know its there because it is always dialling up and connecting to the internet - I have to physically unplug the phone line to stop it!

Please help - magical solutions desperately needed!

Thanks,
Eve

 

Many thanks for that - amazingly 12 hours after I first installed Ad-Aware it had been updated and now removed the offending items (at least, it has stopped complaining about them when I repeat the scan .....)

This implies that before scanning one should update for newer versions - I see Spybot also has updates to download. Once I had updated Ad-Aware I rescanned and discovered ANOTHER 7 objects to remove. Not sure I can keep up the pace if 12 hourly updates/scans required - but hope now I have installed Spyware Guard to avoid getting any new problems!

This leaves me with the Delfin project stuff - I don't know if it has gone - how can I tell? It never registered on any of Ad Aware or Skybot scans - and I am too scared to use the instructions I picked up somewhere on the net that involved surgery on the Registry ..... and I am not confident in using backups to restore after a disaster ........ are there any nice safe programs I can just press the button on and it all goes away painlessly?

Thanks again folks for all your good work - without forums like this some of us would be hustled off the internet altogether by spies, ads, trojans, viruses etc. Any other must haves to keep things moving along?

Eve

 

Hi again!

I was reluctant to post again until I had done some more checking, and before I got your advice to download HijaakThis I ran Sky bot again, and discovered that I STILL have DSO Exploit and Search Exe (which Sky bot keeps telling me it removes every time I run it) and Retrieve which Skybot tells me it will remove after a re-boot and doesn't.

So I installed Spy Sweeper from Web root, which told me I had ANOTHER whole bunch of problems (and this is after using freshly updated versions of Ad aware and Sky bot) - like about 70 problems, which it proceeded to remove. Luckily it seems to have removed Delfin project in that batch.
However, even after this very lengthy (like 45 min) scan with Spy Sweeper (twice with reboot inbetween, and all 3 programs' quarantine bins emptied), Skbot still finds DSO Exploit and Search Exe (still says it is removing them and doesn't) and Retrieve which it says it cannot remove.
SO I guess I will have to download Hijaak This, which if it is very large will have to be done overnight 'cos my connection is so slow that eventually the connection fails before download complete during the day.
Unless you have any other ideas?

Thanks for your patience,
Eve

 

OK so have now run HijackThis (which turned out to be a small file when I looked at it) and what follows is the logfile. Skybot says there is DSO Exploit, Search Exe and Retrieve on the computer somewhere. I have to confess there is a second terminal running on a little network here, the second computer is only infected with DSO Exploit according to Spybot, so I will post its log later.

Log from HijackThis follows - but many grateful thanks for your help!

Logfile of HijackThis v1.97.7
Scan saved at 12:12:10, on 20/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.0\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin.GREY_FUJITSU\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows.0\downloaded program files\conflict.1\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.0\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows.0\downloaded program files\conflict.1\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [My Search Bar Eq] "C:\Program Files\MySearch\bar\s4bareq.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Media-Search] "C:\Program Files\msnet\v9\msnet.EXE" /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &Google Search - res://c:\windows.0\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows.0\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows.0\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows.0\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows.0\downloaded program files\conflict.1\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Admin.GREY_FUJITSU\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38101.3771643518
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A121930-E754-41A8-A114-A7BACC859356}: NameServer = 207.44.140.102 64.191.22.247


Reagrds to all
Eve

 

I thought I had turned everything off before I generated the log file - (seems a bit long .... sorry!) - should I try that Hijack This again and see if I can get a smaller one?

Help!

As always, major thanks for you helpful folks,
Eve