| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 62257 | 2005-10-02 00:16:00 | Getting rid of a tough spy... | ojibwa (8968) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 392725 | 2005-10-08 01:31:00 | So is the verdict that I've to live with this bit of spyware on this computer until I reformat the harddrive? :badpc: | ojibwa (8968) | ||
| 392726 | 2005-10-08 02:16:00 | pressf1.pcworld.co.nz 16 That's the Spyware FAQ. Don't give up till you've been right thru that. It's excellent. |
mark c (247) | ||
| 392727 | 2005-10-08 02:33:00 | download hijackthis www.merijn.org unzip, run and copy and paste the log here or on one of the hijack forums and we will tell you what to delete. or Use regedit and manually delete the folowing entries HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Spyware.YourSiteBar HKLM\SOFTWARE\Classes\Ysb.YsbObj.1 -> Spyware.YourSiteBar HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Spyware.ISTBar HKLM\SOFTWARE\YourSiteBar\Historysearch_string -> Spyware.ISTBar |
bartsdadhomer (80) | ||
| 392728 | 2005-10-08 04:25:00 | I get an error if I try to delete any of those in regedit. I will post a hijackthis log the next time I post. I could try doing it in safemode with system restore off, but only if you say I should. |
ojibwa (8968) | ||
| 392729 | 2005-10-08 10:00:00 | If it is really that bad you can get windows 2000 or xp to try to replace the system files (before resorting to a reinstall). see here (www.networkclue.com) Also make a nice new user account. Run MS Anti-spyware too. It is only a real problem though if the spyware is still actually installed. I mean they often leave a trail of registry entries behind... |
gibler (49) | ||
| 392730 | 2005-10-08 13:48:00 | I've reinstalled Windows XP Pro once on this computer . Since then the old accounts that we used to use seem to still be there, but we have not been able to access the accounts in any way (though when I check the properties it says that they're taking up 0 bytes so I think "no worries" . Instead if you try to go into documents + settings (insert name here [user account]) from the first installation, you get an error message about how you don't have sufficient administrator rights, but I'm as admin as it gets on this PC . One other thing to mention is that for a long time GTA San Andreas wouldn't work, then I made a new account and it did, also before I couldn't see the mods I was intalling for Counter Strike Source but people with their different accounts could, so I made an alternate account to test if it would work; it did . I don't know if somewhere along the line I chose for one of my anti-spyware/adware programs to block the programs in that account, but It was a whole load easier not to search around looking for what to/how to unblock them if I found out I'd done so . Anyhow here's my hijackthis log done in normal mode: Logfile of HijackThis v1 . 99 . 1 Scan saved at 6:43:02 AM, on 10/8/2005 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Sygate\SPF\smc . exe C:\WINDOWS\system32\spoolsv . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe C:\Program Files\MATCO\BuzzsawService\BuzzSawService . exe C:\Program Files\MATCO\DirmsService\DirmsService . exe C:\Program Files\ewido\security suite\ewidoctrl . exe C:\Program Files\ewido\security suite\ewidoguard . exe C:\WINDOWS\system32\nvsvc32 . exe C:\WINDOWS\System32\dmadmin . exe C:\WINDOWS\Explorer . EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe C:\WINDOWS\system32\ctfmon . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Logitech\MouseWare\system\em_exec . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Documents and Settings\Alex'sAlternateAccnt\Desktop\HijackThis . e xe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . google . ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {427F28DA-7DE4-FD4B-D90B-6CFEA10C2A33} - (no file) O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc . exe -startgui O4 - HKLM\ . . \Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe O4 - HKLM\ . . \Run: [Logitech Utility] Logi_MwX . Exe O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\system32\NvCpl . dll,NvStartup O4 - HKLM\ . . \Run: [NvMediaCenter] RunDLL32 . exe NvMCTray . dll,NvTaskbarInit O4 - HKLM\ . . \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched . exe" -osboot O4 - HKCU\ . . \Run: [ctfmon . exe] C:\WINDOWS\system32\ctfmon . exe O4 - HKCU\ . . \Run: [LDM] \Program\BackWeb-8876480 . exe O4 - Global Startup: Logitech Desktop Messenger . lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf . exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_04\bin\npjpi150_04 . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_04\bin\npjpi150_04 . dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1 . int_ver32) - . com/dialer/int_ver32b . CAB" target="_blank">advnt01 . com O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - . licenseacquisition . org/cab/MediaAccessVerisign/ie/bridge-c424 . cab" target="_blank">media . licenseacquisition . org O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - . com/dialer/int_ver30 . CAB" target="_blank">advnt01 . com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp . dll" (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe O23 - Service: Buzzsaw_Defragmentation - MATCO - C:\Program Files\MATCO\BuzzsawService\BuzzSawService . exe O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService\DirmsService . exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl . exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard . exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32 . exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc . - C:\Program Files\Sygate\SPF\smc . exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService . exe (file missing) O4 - HKCU\ . . \Run: [LDM] \Program\BackWeb-8876480 . exe This is the one thing I'm almost certain should not be on my computer ^^ |
ojibwa (8968) | ||
| 392731 | 2005-10-08 18:30:00 | Tick these entries . Close browser/s . Tick fix checked . Reboot O2 - BHO: (no name) - {427F28DA-7DE4-FD4B-D90B-6CFEA10C2A33} - (no file) O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1 . int_ver32) - . com/dialer/int_ver32b . CAB" target="_blank">advnt01 . com O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://media . licenseacquisition . org . . . bridge-c424 . cab O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - . com/dialer/int_ver30 . CAB" target="_blank">advnt01 . com Looks like these 3 entries relate to a dialler . O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp . dll" (file missing) O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService . exe (file missing) And this O4 - HKCU\ . . \Run: [LDM] \Program\BackWeb-8876480 . exe Is some part of a logitech program, for something like a webcam, or something . Not nasty, but doesnt have to run on startup . Also you're meant to extract hijackthis into its own folder Then run it . Not run it from within the zip file . I would also update Java . It's up to 1 . 5 . 00 . 5 now . |
Speedy Gonzales (78) | ||
| 392732 | 2005-10-09 01:53:00 | I got rid of all but backweb using Hijackthis (realised that it was a part of the software I installed with my Logitech mouse). Not certain what effect this may have had, so I'm going to try and see if I can't get rid of that YourSiteBar spy that's been stowing away for too long now. I've HJT running from my desktop. I updated the Java Runtime Environment as you advised. Edit: The spyware is still showing up, and will not go away. |
ojibwa (8968) | ||
| 392733 | 2005-10-09 02:28:00 | Does Isearch or Isearch toolbar appear in Add/remove programs? If so, uninstall it. Or try this www.simplysup.com Download it install it run it / click on scan. Then select the utilities menu. And select each option from option 3 - 7. |
Speedy Gonzales (78) | ||
| 392734 | 2005-10-09 14:17:00 | I didn't find ISearch in my add/remove programs. I downloaded and installed the program, I used those last five options in the utilities menu. The same result comes up in Spybot. |
ojibwa (8968) | ||
| 1 2 3 4 5 6 | |||||