| Answer» Hi, can SOMEONE give me some advice please?
 I keep getting popups all the time on my machine from Vegas Red Casino, Golden Palace Casino, Chrysler, Capital One and other telling me I have SPYWARE on my system. Some are from sandboxer.com.
 
 I've run Adaware, Spybot S&D, WinPatrol, Spyware Doctor, System Mechanic 4 Pro, Tweak Now, yet still can't get rid of the *censored* things!!
 
 I've run hijack this and it seems there is an .exe file (I may be wrong) thats causing the damage, problem is I can't get rid of it and it seems to change name all the time to make it more difficult to spot.
 
 I'm running Windows 2000.
 
 below is my Hijack this log:
 
 Logfile of HijackThis v1.97.7
 Scan saved at 10:43:37, on 06/08/2004
 Platform: Windows 2000 SP4 (WinNT 5.00.2195)
 MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
 Running processes:
 C:\WINNT\System32\smss.exe
 C:\WINNT\system32\winlogon.exe
 C:\WINNT\system32\services.exe
 C:\WINNT\system32\lsass.exe
 C:\WINNT\system32\svchost.exe
 C:\WINNT\system32\spoolsv.exe
 C:\WINNT\system32\drivers\CDAC11BA.EXE
 C:\WINNT\System32\CTSvcCDA.exe
 C:\Program Files\NavNT\defwatch.exe
 C:\WINNT\System32\svchost.exe
 C:\Program Files\NavNT\rtvscan.exe
 C:\WINNT\System32\nvsvc32.exe
 C:\WINNT\System32\WBEM\WinMgmt.exe
 C:\WINNT\System32\mspmspsv.exe
 C:\WINNT\system32\svchost.exe
 C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
 C:\WINNT\system32\CCM\CcmExec.exe
 C:\WINNT\Explorer.EXE
 C:\WINNT\system32\Promon.exe
 C:\Program Files\Creative\ShareDLL\CtNotify.exe
 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
 C:\Program Files\NavNT\vptray.exe
 C:\Program Files\Creative\ShareDLL\MediaDet.Exe
 C:\Program Files\Pop-Up Stopper\dpps2.exe
 C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
 C:\WINNT\system32\BdqGNk.exe
 C:\WINNT\system32\Nok0jVLx.exe
 C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
 C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
 C:\Program Files\Browser Hijack Blaster\bhblaster.exe
 \sqlserv2\agrnew\client32\Agresso32.exe
 C:\Program Files\Internet Explorer\IEXPLORE.EXE
 C:\Program Files\Internet Explorer\IEXPLORE.EXE
 C:\MY DOCUMENTS\HijackThis.exe
 
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isa:8080
 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.internal.uwic.ac.uk;*.uwic.ac.uk;
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
 F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
 O4 - HKLM\..\Run: [Promon.exe] Promon.exe
 O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
 O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
 O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
 O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Pop-Up Stopper\dpps2.exe"
 O4 - HKLM\..\Run: [[emailprotected]] C:\WINNT\SYSTEM32\KYJNPEX.EXE
 O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
 O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
 O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
 O14 - IERESET.INF: START_PAGE_URL=http://www.uwic.ac.uk/uwicnet/staff
 O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://64.85.20.106:8079/Java/cfs31218.cab
 O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime OBJECT) - http://www.apple.com/qtactivex/qtplugin.cab
 O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/28d1d99487d33c2f7714/netzip/RdxIE601.cab
 O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
 O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.191724537
 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.uwic.ac.uk
 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.uwic.ac.uk
 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.uwic.ac.uktry shredder>http://www.thespykiller.co.uk/ and see if it help also i have notice references to remote access?and these look suspect>C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
 C:\WINNT\system32\CCM\CcmExec.exe this maybe the cause of your page being hi-jacked>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isa:8080
 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride best thing to do is type msconfig in the run box startup-folder and see wish process are running ..when you scan for trojans etc it may pay to disconnect your pc from the net...get a firewall it may stop some of it?Properly configure Adware and the other programs you use.
 
 Configuring them to load at Windows startup is very effective.
 |