As part of a class assignment, I was required to download and run several different spyware detection programs. I already had Spybot Search & Destroy, Spyware Blaster, and Pest Patrol installed. So, I downloaded Ad-Aware, NoAdware, SpywareBegone, and Spysweeper. The programs that want me to purchase them found the most problems, but they couldn't be removed unless I bought the program. Spysweeper just took over and deleted a bunch of stuff--I haven't found a log for what it removed, though. SpywareBegone just popped up on my computer--it apparently has been running in the background--and announced that it had found 27 infections! Among them, allegedly, a fake Yahoo messenger, a key logger referred to as "Zoran Juric" and a bunch of others called Mywebsearch.com. Naturally, this is one of the programs that removes only after purchase.

So, I ran Spybot Search & Destroy and was told I have no infection. Then I ran HijackThis, and I can't find anything in it that looks overly suspicious. Can one of you experts take a look and see what you think and let me know? Also, have you heard of "Zoran Juric"? I have another problem that I will post later, but I always ask first about my HijackThis log! Thanks in advance, Guys! :-)

Okay, just got the message that the post is too long--will post the log only in the next message.

Scarlett

Logfile of HijackThis v1.97.7
Scan saved at 5:39:03 PM, on 6/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\unzipped\BandwidthMonitor\BandwidthMonitor\Band widthMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\Program Files\Mouse\Mouse Control\Panel.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EmsaBandwidthMonitor] C:\unzipped\BandwidthMonitor\BandwidthMonitor\Band widthMonitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02. EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O4 - Global Startup: Mouse Control Center.lnk = C:\Program Files\Mouse\Mouse Control\Panel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .bat: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for @/a6™`c: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for `ž`6™`c: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [url]http://support.dell.com/systemprofiler/SysPro.cab[/url]
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - [url]http://office.microsoft.com/templates/ieawsdc.cab[/url]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - [url]http://download.zonelabs.com/bin/free/cm/ICSCM.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - [url]http://www.pestscan.com/scanner/axscanner.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst0401.cab[/url]
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url]https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37697.7138425926[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

Unfortunately, you have downloaded and installed programs that are scamware and hopefully you will be able to remove them without too many hassles... Spybot and AdAware are both legit... Spysweeper is legit and one of the few programs you have to buy that is probably worth the money.... NoAdware and SpywareBegone are both scams... They stole some code from legit programs and used it to make their crap look somewhat legit and then they tell you that you have all sorts of stuff on your computer that isn't really there so that you will pay them to remove it... They do a great job removing these non-existant programs, but I am not sure if they would work if you actually had the programs on your system.

Your log looks clean except for the garbage you installed... I urge you to remove them ASAP...

BTW, keep in mind that PestPatrol cannot be trusted either... They identify a lot of false positives... I don't think they are an intentional scam, but they do want to sell their products....

Thanks for the review, explanation, and additional suggestions, Bud. I will remove the offending products post haste. I hope that I will be able to remove everything and that no remnants will be left behind! I got Pest Patrol as a bonus when I bought Zone Alarm. If you think that it is of little or no value, I will remove it also. You made no comment concerning Spysweeper--do you have an opinion on that particular program?

Incidentally, I ran Spybot S&D on one of my Win98 computers, and it found 137 offenders! I tried to have S&D remove all of them, but had to run it again on startup to catch 3 others. Unfortunately, it got only one, and I am running it for a third time to try to grab the remaining two. Is this customary?

With your permission, I would like to post your remarks to our Student Forum. Some of the other students also downloaded these scam programs, and they should be told to remove them. I think that advice would be better coming from an expert than from another student.

It had occurred to me that these programs were reporting non-existent threats, and I even mentioned that possibility in my review and comparison of the various programs. It is nice to have my suspicions confirmed by an expert!

I told the group about HijackThis, and I also warned everyone not to remove anything until after the log was reviewed by the experts. If it's okay, I will refer them to this forum. I have always received the best and most useful advice right here, and I am most appreciative.

I have two other perplexing problems that I will post just as soon as I find the proper forum--they both involve HTML, and one concerns my website and my inability to "see" a link that I have coded. The other is an HTML attachment that was sent to me in email. I can read the text, but I can't "see" the image! Hope you have a forum that pertains to HTML problems. :)

Thanks again!

Scarlett

Sorry, Bud! I just noticed, after checking it three times, that I said you made no comment regarding Spysweeper. Obviously, that is incorrect. I meant to say, "Spyware Blaster." If you have an opinion on that one, I would like to have it.

Sorry for the confusion,

Scarlett

I use spywareblaster and it is a great program. there is a free version and 1 you pay for .
Budfred was one of the people who suggested I try it, especially with ie. works in the background, don't have to anything but keep it updated and let it block everything. Never even notice it's there.
Check every few days for updates.
Mark

Thanks, Mark! Which version do you use?

Scarlett

Hi Scarlett,
version 3.1
If you are using anything older, go to the site and follow their uninstall reinstall for 3.1
I am not sure but I don't think you can just update the version.
Mark:)

Thanks again, Mark! I don't know which version I have, but I will check. I'm pretty sure I am using the free version, though, and that's really what I was asking you. Did you pay for your version?

Thanks,

Scarlett

The author of SpywareBlaster takes donations, but I don't believe there is a pay version... I think there is a pay plan if you want to set up autoupdates with the new version... And yes, SpywareBlaster is one of the best....

IE-Spyads is also a good free program to use if you still use IE...

There are a number of good spyware programs out there, but there are also a large assortment of scam programs that are as bad as the programs they claim to fight... Virtual Bouncer is one of the absolute worst... It installs like a virus and then offers to clean up your system in intrusive popups... Just plain evil...:mad:

You can certainly share this info with your class... the more people that know about this stuff, the better....

You may also want to check out SpywareInfo for lots more info and program alternatives...

http://www.spywareinfo.com/

Several programs have been released that masquerade as spyware removers, while actually being spyware themselves, or installing it. Spyware Nuker (http://camtech2000.net/Newsletters/a_new_spyware_tactic.htm) is one of them. The article in that link has some pretty good info about it, a good description of how most of them work, and some quotes from their EULA, which they know 99% of the users who install it DO NOT READ...which they definitely SHOULD READ these days...

Here is a list from the Lavasoft Forums (http://www.lavasoftsupport.com/index.php?showtopic=31627) of fake spyware removal programs. Take it with a grain of salt, no telling how well it was researched, but I know for sure several on that list are fakes, I've removed them and some have been discussed here on the forums before.

The ones you can trust are in Budfred's signature, and on mjc's site too.I think Whyzman has a list of them in his signature as well. Strange thing is, the best of them are all free ones...Spybot, Adaware, Zone Alarm, Hijack This...hmmmm...makes you wonder huh...