Something's installing new spyware

Hey, guys. Hopefully you’ll be able to help with a problem I’m having.

 

Well, I tried to post a lot more info than I'm seeing on the screen here. I can try again, but if this doesn't work, I must just be doing something wrong...

 

I have trend micro on my system.

Is this enough of a firewall along with Spyware Doctor, Crap Cleaner and Hijackthis?

(Wish I came here BEFORE my problems!)

Brisa

 

First of all, thanks to those of you who have replied already. I have got a couple good recommendations from a couple different people. Thanks again...

I have the firewall built into 2Wire, and I also use the pc-cillin one. I haven't had problems with these, so I'm fairly certain these have nothing to do with my problem.

--

I ran Aluria and it *did* find a few things that the other programs didn't, but there are still some problems (like the main ones I was noticing before . VX2 is one of them, but I have a vx2 log now that I can include in this message. They are still changing names in the system32 folder.


Another thing I noticed is that pc-cillin told me that svchost.exe was trying to connect out. I read that there was a good and a mock svchost, but I don't see one in the "bad" location. I can tell you though, that Task Manager shows FOUR different svchosts all running at the same time. HijackThis only showed me 2 of those. But the task manager shows 2 that say system after them, and 2 that say "local service" and "network service".

The size of at least the large "system" one is not constant. It was 17k and something, and now it's 16k. If this matters.



I am also having another, even more serious problem. Whenever I'm online, the computer waits a few minutes and then just decides to run the CPU at 100%, so I can't do much of anything except flip the switch at the back of the computer. It did this again AFTER I had done all the recommended fixes so far. We'll see how many reloads it takes me to get all of this stuff done...


The popups continue. Eblocs is coming up a lot of the time, now.


So anyway, without further ado, here is the vx2 log that I got after all of this. I assume you wanted to see the log instead of me just deleting them because they could just come back anyway?



Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\cjbjmon.dll
C:\WINDOWS\System32\crbjmon.dll
C:\WINDOWS\System32\DaHTLS32.DLL
C:\WINDOWS\System32\sgmpsnap.dll
C:\WINDOWS\System32\skmsg.dll
C:\WINDOWS\System32\snmsg.dll
C:\WINDOWS\System32\wsssvc.dll
C:\WINDOWS\System32\wvssvc.dll


Guardian Key--- is called: GuardianYMSDN
Asynchronous 000
DllName C:\WINDOWS\system32\DaHTLS32.DLL
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {89A5EAC1-60DD-47AF-8B7A-650C1732EC21}
IDex CS3

User Agent String---
{89A5EAC1-60DD-47AF-8B7A-650C1732EC21}




And I have the new HijackThis log as well.


Logfile of HijackThis v1.97.7
Scan saved at 4:41:47 PM, on 6/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\2Wire Gateway\2PortalMon.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Documents and Settings\Nelaskon ECA\My Documents\receive\HijackThis.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37798.8637731482
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



Maybe I should get rid of that other Symantec one, and I'm not sure that I need things like Flash and Quicktime running in the background, but I'll let you guys tell me if that's the case. And whatever the hell yahooymailto class is... There are several things up there that I don't recognize, however.


As far as the other stuff goes, I have no idea how I'm still getting so much crap, except that v2x did find things that I haven't tried to delete yet. I just hope that this is the root of the problems, and not just *one* of the things wrong.


Quite frustrating, as all of this just happened at once, and I've spent about a day and a half doing nothing but trying to fix this.


Thanks again for your help, guys. I really do appreciate it.



Cyaron

 

Since it didn't get through before, I'll mention that I had previously run Ad0aware 6, Spybot, and the licensed version of Spy Sweeper.


None of these are able to find the problem.


Cyaron

 

Thanks guys!

I have followed the advice I've gotten here and from a couple other places, and I have successfully deleted vx2! Almost all popups are gone; just like it was before!


I will post my newest hijack this log, but I don't expect there will be any problems. If I can delete the 03 items, I might want to do that. But I don't know if that would be safe. Also, I *think* I still want the 016 items I still have up there, but let me know if they're unnecessary.

Thanks again, guys. I didn't have to be disconnected from the internet this time to make the HT log or to do the postings...


*NOW* the thing I have to do is to bitch to Webroot and Aluria, because both of those products missed vx2 AND a great many of the programs that vx2 brought onto my system.



Newest HijackThis log:


Logfile of HijackThis v1.97.7
Scan saved at 1:50:50 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\2Wire Gateway\2PortalMon.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Documents and Settings\Nelaskon ECA\My Documents\receive\HijackThis.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37798.8637731482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

xflat reading the thread see you don't recommend ZoneAlarm which is the firewall I use, and was wondering if there is a reason for this??

Checked out Kerio and it's $45.00. ZoneAlarm is free (the one I'm using anyway).

So far nothing has been able to penetrate my ports, but I guess you never know....
Really curious about this one!!!!!

Use all the other stuff like Spybot SD, Adaware, Spywareblaster, Crapcleaner etc. etc. ....and keep it religiously up to date, and run checks on a tight schedule. Also HijackThis.
BTW don't run teatimer either...........

 

xflat thanks for clarifying re. Kerio.

Think I will try it out. I have the old version of ZA 4.5. Heard there were too many probs with the new version. You just verified it.

Would like to keep ZA 4.5 just in case. So can you disable it, download Kerio and use it?? Have never had 2 Firewalls on my HD.

Grateful for you sharing your knowledge re. this!!

 

What's the problem with having more than 1 firewall? I haven't gotten any errors with my 2Portal and pc-cillin, but obviously things are still getting through.


Is there a place to download Zonealarm 4.5? Or am I better off sticking with what I've got and looking for things like ALuria and SpywareBlaster that can block ports?


Thanks again,


Cyaron

 

xflat thanks for info re. 2 software firewalls


Cyaron - How you doin'??

aleuria is for spyware removal (not firewall)

SpywareBlaster - disable spyware ActiveX controls (not firewall)

SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. This allows you to run Internet Explorer with Active-X enabled, but it will never download or even prompt you for any of the known ActiveX controls. All other Active-X controls or plug-ins will work fine. The SpywareBlaster database contains information on these known spyware Active-X controls and can be updated with the click of a button. The application windows displays a list of all controls that it is able to detect (this is not a list of what was found on your computer). The program cannot detect if you have any of the known objects already installed, but if you do, they will be disabled. The program also allows you to take a snapshot of your computer (certain settings) in its clean state and later revert many changes made by spyware and browser hijackers.

Firewalls
If you would like to use Kerio firewall it can be downloaded here:
http://majorgeeks.com/download738.html Kerio

I use ZA firewall version 4.5.538.001 and it works really well.
To downloand ZoneAlarm 4.5 go to this link:
http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html

Good luck!!