Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

John_Doe

313 Posts

7339

November 24th, 2004 16:00

spyware that can't be removed

i keep getting like a windows type login screen for several sites including ad.doubleclick.net it says connecting and asks for a username and passworld how do i remove this? i also get login screens for other "bad" sites such as adlog.com.com, altfarm.mediaplex.com, ads.com.com, pagead2.googlesyndication.com, etc.
 
i ran ad-aware, spybot, xcleaner, cwshredder, spyware doctore, spysweeper, and couple other spyware remover programs as well as hijackthislog and it still wasn't removed. i have spyware guard and spywareblaster installed. i also have the HOSTS file edited. all are up to date. i also have a pop up blocker.

i have norton antivirus 2004 installed and a firewall.

Message Edited by John_Doe on 11-24-2004 04:21 PM

pskelley

933 Posts

November 24th, 2004 18:00

Hi John, Welcome to Dell Community forum.  Ad.doubleclick.net sounds like a Data Miner/Tracking cookie.  Ad-aware SE and Spybot S&D 1.3 both properly updated and configured should remove it.  Use these two links to make sure you have the newest version and that your configuring is according to the instruction in the links:
 
I need to say that HijackThis does not remove anything of itself.  This is an analysis and repair tool that is used by folks who are trained in it's use to remove malware.  Be careful if you use it, as you are looking at the good as well as the bad.  If you want us to take a look and advise you, post that log here. Make sure your version is 1.98.2 and use reply to stay in this same thread.  Thanks...pskelley

John_Doe

313 Posts

November 24th, 2004 18:00

i ran both spybot and adaware still didnt fix the problem they have the most up to date definitions and the programs are up to date also. it asks for a username and password to log in like a windows log in screen i dont think its a tracking cookie. anyway here is my hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 3:31:16 PM, on 11/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cusrvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Novell\ZENworks\wm.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\Zenworks\naldesk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 4.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\FeedsBurner2\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eng.fiu.edu/feeds/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

 

 

pskelley

933 Posts

November 24th, 2004 19:00

Ok John, Since you seem to know your way around your computer, I will just share what I found.  I think this:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu  and the RO item probably indicate you are at school and the IP belongs to the school?

Not a safe place for HJT, needs to be in a permanant folder of it's own if you ever use HJT so backups for safety and logfiles you create have a place to store.
C:\Documents and Settings\FeedsBurner2\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
http://www.netstar.me.uk/hjt/hjt.html
 
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
Looks like Wintools was removed with an auto-uninstaller and it is still there, I would think you could remove it if you want.
I really can't see anything in the log that would in dicate the issue you are having.  Perhaps someone else will come along and spot something.
 
Thanks...pskelley

Message Edited by pskelley on 11-24-2004 04:43 PM

View More

View All

No Events found!

Top