IE and Spyware!

Evil Marge

I Rule
Political Access
Joined
4 Jul 2002
Messages
6,584
Can someone take a look at this and tell me if there's anything there that shouldn't be??
Everytime I open IE my computer is getting infected with tonnes of spyware and I am having to remove trojans every bloody time.
Stupid sites who don't support Firefox need to catch up with the times and I wouldn't be having this problem :mad:

Logfile of HijackThis v1.98.2
Scan saved at 18:06:46, on 03/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Pulse\Pulse.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\amanda1\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109007238186
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl3.cab
 
How long have you been using 'LimeWire 4.2.6 Pro' Evil one?
 
You have a Begin2Search variant, have HJT fix:

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll

Then I would run a full AdAware and Spybot scan.

Post a new log using the latest version of HJT: http://www.downloads.subratam.org/hijackthis.zip
 
j79zlr said:
You have a Begin2Search variant, have HJT fix:

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll

Then I would run a full AdAware and Spybot scan.

Post a new log using the latest version of HJT: http://www.downloads.subratam.org/hijackthis.zip
Yeah,thats what Adaware keeps finding.I remove it all but then everytime I open IE it comes back :mad:

New log:
Logfile of HijackThis v1.99.1
Scan saved at 13:13:34, on 04/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Pulse\Pulse.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\amanda1\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109007238186
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BE964208-66F0-48FB-8F53-0C2BC35A610A} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl3.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
 
Run all of this in safe mode. Most important step of all.

delete index.dat (doc and settings ... username\local settings....) via command prompt, in safe mode.

run MS Anti-spyware over and over til it cannot find anything. Enable Real-time protection on it so it will block the inevitable re-install attempt

and disable system restore before doing it all.
 
I can't find index.dat anywhere and have already done the other tips.MS Anti-spyware's real-time protection is and always has been enabled but it doesn't seem to stop anything :rolleyes:
Since I posted my last post I opened IE then used MS Anti-spyware which said my computer was clean but Then used Adaware which found something called MediaTickets CDT....It's just one thing after another :speechless:
 
All i have to say is Spybot first ( dont forget the immunize section amd the host file, you have to change to advanced mode to find it) here

Winpatrol to let you know whats going on Here

A smattering of a good firewall
Here

Finshed off with installing firefox :) Here

Remember I do this for a living, I spend half my life cleaning up spyware

The only tools I use are those above and me punters tend to stay free, apart from the ones who insist of install it with other programs
 
Bytes Back said:
All i have to say is Spybot first ( dont forget the immunize section amd the host file, you have to change to advanced mode to find it) here

Winpatrol to let you know whats going on Here

A smattering of a good firewall
Here

Finshed off with installing firefox :) Here

Remember I do this for a living, I spend half my life cleaning up spyware

The only tools I use are those above and me punters tend to stay free, apart from the ones who insist of install it with other programs


Done immunization,got a Firewall and use Firefox as main browser,only use IE for sites that don't work with FF :devious:
Still cannot stop spyware from infecting me :cry:

Oh and I have got SpyBlaster running too
 
You've likely already done this ... but did you check add/remove programs for odd entries?

Now for this pesky little bugger:

index.dat is here: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\

How to get there:
enter safe mode
disable system restore
go to command prompt (Start, Run, cmd)
enter the following:
cd \
cd documents and settings
cd <username> (replace this with your ID)
cd local settings
cd Temporary Internet Files
cd content.ie5
del index.dat

Get rid of the dll:

regsvr32 /u C:\WINDOWS\system32\rtneg.dll
If you get an error message,try it like this:
regsvr32 /u rtneg.dll

Then go find the f&%$er and delete it.

run adaware, spybot (with updated defs), your virus scanner, and MSAnti-spyware. All in safe mode, and all with system restore disabled. also hit up hijack this in safe mode, and have it fix the rtneg entry again if it's still hangin around.

Reboot.

Let me know what happens, we will get it. do this for a living.... LOL
 
Seeems like a 'false positive to me marge doors'.

You got so many apps for removing spyware it's causing a 'bitchin match'.

Just use one. Uninstall the ones you don't use that much and leave one in, I suggest keeping either M$ or spybot as main app.
 
Lee said:
Seeems like a 'false positive to me marge doors'.

You got so many apps for removing spyware it's causing a 'bitchin match'.

Just use one. Uninstall the ones you don't use that much and leave one in, I suggest keeping either M$ or spybot as main app.


I've never seen a false positive. Could you give me an example?

If you are going to limit yourself to one removal software, stick with MS Anti-spyware. I suggest using them all in conjunction with hijackthis scans.
 
Ok did you install winpatrol ?

If so, right click on the dog, ( give him a bone or a biiscuit :) ) choose display IE helpers, have a close look,

Leave the sdhelper, thats spybot, you probaly have an acro, thats acrobat reader. there maybe one from your virus killer as well.

Anything else, BIN IT, you can click remove or right click and remove file on reboot.

Next, right click again and choose display services, tick the Non M$ ones box, Have a good look, any you dont know what they are disable them, you can always reenable after !
 
Mastershakes said:
I've never seen a false positive. Could you give me an example?

If you are going to limit yourself to one removal software, stick with MS Anti-spyware. I suggest using them all in conjunction with hijackthis scans.

Like using two antivirus applications (or more) or more than one firewall.
 
Lee said:
Like using two antivirus applications (or more) or more than one firewall.

Lee this is a bit unfounded. A spyware scanner software is FAR different from an Antivirus or a Firewall in the sense that it's not memory resident and will not conflict with one another. Yes MS Antispyware and Ad-Aware have some resident shields you can enable, but just don't... Use them to scan and that's it.

Doing a scan with 2 spyware removal softwares is just like having a second doctor give his opinion on a diagnostic...

It's actually recommended even by Microsoft themselves to use more than one program.

Just read for yourself here: http://www.microsoft.com/athome/security/spyware/spywareremove.mspx

You'll see even though they recommend using their software (which is VERY good), they also suggest Ad-Aware and Spybot Search & Destroy on top of it as you can see by this link: http://www.microsoft.com/athome/security/downloads/default.mspx

Spyware companies rely either on their internal testers or the online community to find spywares and build up to date spyware signature. Using more than one software to scan your system only increases your chances that one of the software you are using will have the definitions to find that very recent and pesky spyware that you can't seem to remove.

Thanks,
 
Marge read these:

http://www.spywareremove.com/remove_begin2search.shtml

http://www.scanspyware.net/info/Begin2Search.htm

http://www.spyany.com/program/article_adw_rm_Begin2Search.html

http://www.techspot.com/vb/topic17297.html

They explain how to delete/remove the "begin2search" adware that you are plagued with.

Hope they help. :)

[edit]
And as for Lee, two anti virus proggies, if they can co-exist is not a bad thing. Not all AV proggies can find all viruses. And two or three or four Adware/Spyware detection proggies is also not a bad thing. Ya use one then the other and so on. And yer system is clean. Or so we think. :D

I am of the school of paranoia will keep you safe when it comes to computers.

But two firewalls first off don't work together. Too many conficts. But if you could why the hell not?

I have a hardware firewall plus software firewall. So what's the big deal? Redundancy is good... to a point. :)
 
Thanks for all the advice guy's.Everything seems to have gone. I daren't open IE now cause I know I'm gonna find some other kind of spyware and then I'll have to go through this all over again :rolleyes: :laugh:
 
OK, first off, you can use more than one Spyware removal program, it is recommended, but I would only use MSAS, SSD, and Adaware, most of the other programs out there are either ripoff's of these, or worse.

The index.dat will not cause any problems, it does not have to be removed.

Marge, you should be fine with IE now, reopen it, if you have more problems post a new HJT log.
 
All the above.I already sort of knew what to do and had cleared it all out a few days back when it all started happening but I just ended up going round in circles cause as soon as one thing was gone something else appeared.
I've had atleast 5 different types of spyware to remove this week alone all because I have to use IE to view a certain website :speechless: :rolleyes: :laugh:
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back