|
|||||||
| Spyware This forum is dedicated to spyware removal and discussions |
 |
|
|
Thread Tools | Display Modes |
|
#1
03-05-2005, 06:35 AM
|
|||
|
|||
|
CW has got me in its grips, help.
Thank you for any help anyone can give me, i've tried various things, nothing seems to have any effect. I have booted into safe mode, run ad-aware, spybot spyware doctor and cw shredder, but as soon as i boot back into normal OS global find / gt.true-counter.com is back.
Here is me hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 15:14:08, on 05/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\DOCUME~1\radar\LOCALS~1\Temp\541f4ec9.exe C:\WINDOWS\System32\svchost.exe J:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O19 - User stylesheet: C:\WINDOWS\stsheets.dat O21 - SSODL: mbnLNCggu - {54A7BAB6-FE0D-101C-0DB0-954C73E9E02D} - C:\WINDOWS\System32\wrdys.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing) O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Thank you in advance for any help anyone may be able to render Last edited by radarhead; 03-05-2005 at 06:41 AM.. 
|
|
#2
03-05-2005, 08:11 AM
|
|||
|
|||
|
Ummm,
I dont see spybot as TURNED on.. spybot, Advanced mode, tools resident, turn BOTH on. teatimer watches your reg. What version of shredder you got.. Theres one out there thats upgradeable, works pretty good, until NEW version is released. CWS is the meanest thing out there..
__________________
Dont screw yourself, there are enough Others out there that will do it to you, Gladly. Long distance tech support= anything thats more then 10 feet away. How many ways to UNinstall from windows. 4, how many work? 1(maybe). GET anti virus, spybot, spy blaster, Adaware...RUN THEM, UPDATE THEM, RUN EVERY WEEK. [img]t:far_out.gif[/img]
|
|
#3
03-06-2005, 06:23 AM
|
|||
|
|||
|
Hi and thanks for the swift reply. Everything I am using is of the latest version. I have teatimer and sdbot running once again, not sure why I stopped them. Just in case I missed something I repeated the clean procedure, i.e i booted in safe mode, ran hijackthis, fix checked, ran spybot cleaned any problems, ran ad aware which found no problrems at all, ran cws which did not detect any CS. MY interenet explorer was clean. I boot back into normal OS, make sure teatimer and sdbot are running, open ie and straight away the homepage has changed and im still getting the true counter style sheet change. teatimer asked whether I should allow the hoomepage change from blank to webtracer, I denied the change but it went ahead regardless. Lastest log.
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe J:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl .webtracer.cc/-/?iiehf R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl .webtracer.cc/-/?iiehf O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O19 - User stylesheet: C:\WINDOWS\stsheets.dat O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C: \WINDOWS\System32\Ati2evxx.exe O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing) O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C: \Program Files\Sophos SWEEP for NT\SWNETSUP.EXE O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C: \WINDOWS\system32\ZoneLabs\vsmon.exe Once again thanks for any help anone maybe able to render.
|
|
#4
03-06-2005, 11:28 AM
|
|||
|
|||
|
OK,
Heres how to read this.. the TOP section is RUNNING process...Basic background. Looks like you got 2 ATI drivers running.. C:\WINDOWS\System32\Ati2evxx.exe Got 2 of these...spyboy, tools, STARTUP, can turn 1 off, if you look for it.. C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe This is the FUN part...I DONT think you have 2 windows open.. But IE is running in the BACKGROUND, doing something. Going to refer you to another location...The last few posts tell you what was done.. Do you like working in the REG??? http://forums.thetechguys.com/showth...1326#post61326
__________________
Dont screw yourself, there are enough Others out there that will do it to you, Gladly. Long distance tech support= anything thats more then 10 feet away. How many ways to UNinstall from windows. 4, how many work? 1(maybe). GET anti virus, spybot, spy blaster, Adaware...RUN THEM, UPDATE THEM, RUN EVERY WEEK. [img]t:far_out.gif[/img]
|
|
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
RSS Feed | 
Linear Mode
