IE and Spyware!

Discussion in 'Windows Desktop Systems' started by Evil Marge, Apr 3, 2005.

  1. Evil Marge

    Evil Marge I Rule Political User

    Messages:
    6,574
    Can someone take a look at this and tell me if there's anything there that shouldn't be??
    Everytime I open IE my computer is getting infected with tonnes of spyware and I am having to remove trojans every bloody time.
    Stupid sites who don't support Firefox need to catch up with the times and I wouldn't be having this problem :mad:

    Logfile of HijackThis v1.98.2
    Scan saved at 18:06:46, on 03/04/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Pulse\Pulse.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Documents and Settings\amanda1\My Documents\My Received Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109007238186
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl3.cab
     
  2. Lee

    Lee OSNN Proxy

    How long have you been using 'LimeWire 4.2.6 Pro' Evil one?
     
  3. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    You have a Begin2Search variant, have HJT fix:

    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll

    Then I would run a full AdAware and Spybot scan.

    Post a new log using the latest version of HJT: http://www.downloads.subratam.org/hijackthis.zip
     
    Evil Marge likes this.
  4. Evil Marge

    Evil Marge I Rule Political User

    Messages:
    6,574
    Yeah,thats what Adaware keeps finding.I remove it all but then everytime I open IE it comes back :mad:

    New log:
    Logfile of HijackThis v1.99.1
    Scan saved at 13:13:34, on 04/04/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Pulse\Pulse.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\amanda1\My Documents\My Received Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109007238186
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl3.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
     
  5. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Run all of this in safe mode. Most important step of all.

    delete index.dat (doc and settings ... username\local settings....) via command prompt, in safe mode.

    run MS Anti-spyware over and over til it cannot find anything. Enable Real-time protection on it so it will block the inevitable re-install attempt

    and disable system restore before doing it all.
     
    Evil Marge likes this.
  6. Evil Marge

    Evil Marge I Rule Political User

    Messages:
    6,574
    I can't find index.dat anywhere and have already done the other tips.MS Anti-spyware's real-time protection is and always has been enabled but it doesn't seem to stop anything :rolleyes:
    Since I posted my last post I opened IE then used MS Anti-spyware which said my computer was clean but Then used Adaware which found something called MediaTickets CDT....It's just one thing after another :speechless:
     
  7. Bytes Back

    Bytes Back Ex Police Chief

    Messages:
    1,383
    Location:
    Kernow
    All i have to say is Spybot first ( dont forget the immunize section amd the host file, you have to change to advanced mode to find it) here

    Winpatrol to let you know whats going on Here

    A smattering of a good firewall
    Here

    Finshed off with installing firefox :) Here

    Remember I do this for a living, I spend half my life cleaning up spyware

    The only tools I use are those above and me punters tend to stay free, apart from the ones who insist of install it with other programs
     
  8. Evil Marge

    Evil Marge I Rule Political User

    Messages:
    6,574

    Done immunization,got a Firewall and use Firefox as main browser,only use IE for sites that don't work with FF :devious:
    Still cannot stop spyware from infecting me :cry:

    Oh and I have got SpyBlaster running too
     
  9. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    You've likely already done this ... but did you check add/remove programs for odd entries?

    Now for this pesky little bugger:

    index.dat is here: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\

    How to get there:
    enter safe mode
    disable system restore
    go to command prompt (Start, Run, cmd)
    enter the following:
    cd \
    cd documents and settings
    cd <username> (replace this with your ID)
    cd local settings
    cd Temporary Internet Files
    cd content.ie5
    del index.dat

    Get rid of the dll:

    regsvr32 /u C:\WINDOWS\system32\rtneg.dll
    If you get an error message,try it like this:
    regsvr32 /u rtneg.dll

    Then go find the f&%$er and delete it.

    run adaware, spybot (with updated defs), your virus scanner, and MSAnti-spyware. All in safe mode, and all with system restore disabled. also hit up hijack this in safe mode, and have it fix the rtneg entry again if it's still hangin around.

    Reboot.

    Let me know what happens, we will get it. do this for a living.... LOL
     
  10. Lee

    Lee OSNN Proxy

    Seeems like a 'false positive to me marge doors'.

    You got so many apps for removing spyware it's causing a 'bitchin match'.

    Just use one. Uninstall the ones you don't use that much and leave one in, I suggest keeping either M$ or spybot as main app.
     
  11. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal

    I've never seen a false positive. Could you give me an example?

    If you are going to limit yourself to one removal software, stick with MS Anti-spyware. I suggest using them all in conjunction with hijackthis scans.
     
  12. Bytes Back

    Bytes Back Ex Police Chief

    Messages:
    1,383
    Location:
    Kernow
    Ok did you install winpatrol ?

    If so, right click on the dog, ( give him a bone or a biiscuit :) ) choose display IE helpers, have a close look,

    Leave the sdhelper, thats spybot, you probaly have an acro, thats acrobat reader. there maybe one from your virus killer as well.

    Anything else, BIN IT, you can click remove or right click and remove file on reboot.

    Next, right click again and choose display services, tick the Non M$ ones box, Have a good look, any you dont know what they are disable them, you can always reenable after !
     
    Evil Marge likes this.
  13. Lee

    Lee OSNN Proxy

    Like using two antivirus applications (or more) or more than one firewall.
     
  14. xtweaker

    xtweaker Tweaking Monkey

    Messages:
    129
    Location:
    Montreal
    Lee this is a bit unfounded. A spyware scanner software is FAR different from an Antivirus or a Firewall in the sense that it's not memory resident and will not conflict with one another. Yes MS Antispyware and Ad-Aware have some resident shields you can enable, but just don't... Use them to scan and that's it.

    Doing a scan with 2 spyware removal softwares is just like having a second doctor give his opinion on a diagnostic...

    It's actually recommended even by Microsoft themselves to use more than one program.

    Just read for yourself here: http://www.microsoft.com/athome/security/spyware/spywareremove.mspx

    You'll see even though they recommend using their software (which is VERY good), they also suggest Ad-Aware and Spybot Search & Destroy on top of it as you can see by this link: http://www.microsoft.com/athome/security/downloads/default.mspx

    Spyware companies rely either on their internal testers or the online community to find spywares and build up to date spyware signature. Using more than one software to scan your system only increases your chances that one of the software you are using will have the definitions to find that very recent and pesky spyware that you can't seem to remove.

    Thanks,
     
    Evil Marge likes this.
  15. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    False positive. I still can't get over that... hehe.

    anyway, marge - j79zlr was on the ball. You have begin2search.

    Easy way to get her out: Update your Norton definitions, and run a scan in safe mode. The manual removal is rather intense for this one, but it's here:

    http://sarc.com/avcenter/venc/data/adware.begin2search.html
     
  16. gonaads

    gonaads Beware the G-Man Political User Folding Team

    Marge read these:

    http://www.spywareremove.com/remove_begin2search.shtml

    http://www.scanspyware.net/info/Begin2Search.htm

    http://www.spyany.com/program/article_adw_rm_Begin2Search.html

    http://www.techspot.com/vb/topic17297.html

    They explain how to delete/remove the "begin2search" adware that you are plagued with.

    Hope they help. :)

    [edit]
    And as for Lee, two anti virus proggies, if they can co-exist is not a bad thing. Not all AV proggies can find all viruses. And two or three or four Adware/Spyware detection proggies is also not a bad thing. Ya use one then the other and so on. And yer system is clean. Or so we think. :D

    I am of the school of paranoia will keep you safe when it comes to computers.

    But two firewalls first off don't work together. Too many conficts. But if you could why the hell not?

    I have a hardware firewall plus software firewall. So what's the big deal? Redundancy is good... to a point. :)
     
    Evil Marge likes this.
  17. Evil Marge

    Evil Marge I Rule Political User

    Messages:
    6,574
    Thanks for all the advice guy's.Everything seems to have gone. I daren't open IE now cause I know I'm gonna find some other kind of spyware and then I'll have to go through this all over again :rolleyes: :laugh:
     
  18. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    What worked in the end Marge? Sheer determination? ;)
     
  19. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    OK, first off, you can use more than one Spyware removal program, it is recommended, but I would only use MSAS, SSD, and Adaware, most of the other programs out there are either ripoff's of these, or worse.

    The index.dat will not cause any problems, it does not have to be removed.

    Marge, you should be fine with IE now, reopen it, if you have more problems post a new HJT log.
     
  20. Evil Marge

    Evil Marge I Rule Political User

    Messages:
    6,574
    All the above.I already sort of knew what to do and had cleared it all out a few days back when it all started happening but I just ended up going round in circles cause as soon as one thing was gone something else appeared.
    I've had atleast 5 different types of spyware to remove this week alone all because I have to use IE to view a certain website :speechless: :rolleyes: :laugh:
     
    gonaads likes this.