Ask MetaFilter posts tagged with spyware

Webmail can get hosed too?

Iosephus — Mon, 18 Aug 2008 15:35:29 -0800

Is there a nastyware lurking in this computer? Strange Yahoo! Mail contact list kidnapping observed... A friend of mine suffered an odd incident on their Yahoo! Mail account, which they only use through their browser: a spam message from some consumer electronics company (that some googling reveals is a probable fraudster) was sent to all their contacts, and the contacts seem to have been deleted after that. They have changed the password and recovered the contact list, but since they are not really computer knowledgeable and I have no access to their machine (a typical Win XP system), not much else to be done there. Some more googling shows up another cases like theirs, but no identification of the nasty. Besides my willingness to help save their bacon, I'm curious about what kind of thing would this be and how it did its trick, able to sneak into a webmail access and spam around the contact list. I'm not linking to the fraudster so as not to give them traffic, but their site as mentioned also in the spam starts with an e, then a dash, then saloon dot com.

Badware (or why I can't get to Gmail.)

Arquimedez Pozo — Sun, 20 Jul 2008 09:33:41 -0800

I have some sort of malware on my Dell that constantly redirects me away from where I desire to go. Specifically, it seems to prevent Gmail from working. Also prevents any major search site from loading. Always redirects to some idiotic ad site. Which means I can't even search Metafilter to find out if this has been asked before. Life without Google is hard!
I'm running an updated Firefox with windows XP. I have used: Hijackthis, Adaware, McAfee (worse than useless), Spyware Doctor, Ewido, Everything in the Best Buy toolkit
(kind of like hitman pro), and Sophos. I can detect and delete a gobbledigook DLL running as an .exe when I use Hijackthis, but it respawns when Firefox restarts. I'm not an idiot, but have only enough knowledge of the processes involved to be dangerous. It also seems to disable Windows Automatic Update service. I've done an end run around my inability to use Gmail by using thunderbird.

Any suggestions? If the only answers left are reformat, reformat and buy a new machine I can accept that.

FYI: I was running as an admin, a mistake not to be repeated, but something has disabled those privileges, and that something wasn't me.

And yes, my next computer will be a Mac.

What is this mysterious process that hijacked my shortcut?

Optimus Chyme — Wed, 04 Jun 2008 10:11:20 -0800

What is this mysterious process that hijacked my shortcut? I was using Photoshop CS2 and entered the shortcut key for "Save for Web" (Alt+Shift+Ctrl+S) and instead of getting the Save for Web dialog, a very minimalist login box appeared. Intrigued, I brought up the Task manager, right-clicked on the "Login" entry in the list, and selected "Go To Process." The process turned out to be C:\WINDOWS\SYSTEM32\vidifker.exe. This is on Windows XP Pro 2002 SP2.

All web searches for vidifker turn up nothing; if this is a virus or trojan, it's probably trivial for it to generate different names for itself. But then why was it so easy to find? Is it a keylogger? Commercial monitoring software? Is anyone familiar with any of this?

What has hijacked Firefox?

NorthCoastCafe — Sun, 18 May 2008 17:14:23 -0800

My Dell Win XP laptop caught some kind of infection via Limewire which blocks Firefox from loading and produces contast popup ads via IE. I never use IE. I've removed Firefox and redownloaded it. Still doesn't load. I've run Ad-Aware, RegScrub, and every other spyware program I know about. What happened, and how do I fix it?

spyware is killing me.

likeapen — Sat, 17 May 2008 12:25:24 -0800

Spyware infected. Help! So my pc is infected with some spyware. I keep getting pop-up from my system tray and internet explorer window. And my desktop background changed, saying "warning spyware threat has been detected on your pc". I downloaded hijackthis to do the logfile and i'm trying to download ComboFix, but the links they have up to download combofix don't come up. Can anyone help me? Below is my hijackthis logfile...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:17 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\xwusuhzh.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmona.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Penelope\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=salrecio123&key=b3b4bd844209d892e645b93683ae30ec&ts=41dc097d&A=368498140004309&B=1104825600000&C=1104825600000&D=1099814400000&I=7.NH4&N=PLHS&O=I
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\RunOnce: [Ceedo Repair] C:\DOCUME~1\Penelope\LOCALS~1\Temp\AutoDetect.exe /repair /drive=G /name=Ceedo
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Sonic INSTALLit! Setup.lnk = C:\Documents and Settings\Penelope\Local Settings\Temp\VIES2786\Setup.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe

--
End of file - 15937 bytes

Someones Watching

Anonymous — Mon, 17 Mar 2008 09:10:59 -0800

I believe that my soon to be ex-wife has installed software on my laptop (Win XP) that allows her to remotely monitor my web activity. How can I find and disable this?

New software for a new computer?

®@ — Sat, 23 Feb 2008 08:39:31 -0800

I'm setting up my spankin' new computer. So far I've downloaded AVG as my anti-virus solution, but I'm not sure which way to go for anti-spyware. Is Ad-Aware still any good? Should I use ZoneAlarm (which doesn't play nice with Adaware), or is there something better? And does anyone have experience with AVG's anti-spyware setup? I realize that ZoneAlarm serves more of a "firewall" niche, so input / corrections are appreciated. Anyone have experience with AVG's anti-spyware solution?

Can someone explain this mysterious page hijacking in Google?

ManInSuit — Tue, 27 Nov 2007 10:40:05 -0800

Can someone explain this mysterious page hijacking in Google search results? Something really weird is happening involving Mrs. ManInSuit's web site, Google, and maybe some other factor I can't understand.

For some reason, her site has been taken over by some creepy spyware site, but only when linked to through google search results.

Here’s the deal:

- I open Firefox.
- I go to google, and type "Margaux Williamson" (with quotes)
- The first hit is www.margauxwilliamson.com. That's her site.
- I click that link.
- A weird scary spyware site comes up.

What's super strange is- If I just paste www.margauxwilliamson.com into the address box, everything is fine.

I tried it on my computer, and her computer, and phoned a friend to have him try it. We all got the same weird result. (the friend is near by, and on the same ISP, so maybe it's specific to that).

Anyone have any idea what might be the cause of this? I'm baffled!

Is Windows Defender actually doing anything at all?

chorltonmeateater — Tue, 13 Nov 2007 00:00:48 -0800

What the hell is Windows Defender actually doing all day? It seems do precisely nothing on my machine. No matter what I install, I never see a single pop-up window, even when that software makes changes such as adding itself to the startup list, or when it does anything really. I also see a warning icon in the system tray every month or so saying I've not done a scan in 27 days, even though it's set to scan automatically every day at a time when the computer is almost always on.

Is the program just extraordinarily effective at detecting spyware and only spyware, or is it just sitting there wasting system resources for no reason whatsoever? Is it worth replacing with another program, like Spyware Terminator?

My Registry Feels So Dirty - Do I need to further de-virus my computer?

CRS — Mon, 30 Jul 2007 07:30:55 -0800

Apparently, my Dell laptop was hit with a virus this weekend. I fixed the problem by using the Windows XP reinstallation disc to repair it. Do I need to do anything else? My laptop froze up this weekend and when I restarted it, I could not get past the splash screen. Every time I tried to log in, I was immediately logged out. The problem is exactly described in this article at Microsoft Support, which indicates a virus rotorooted my registry.

Anyway, I did not have access to this support article until after I repaired my machine by using the XP reinstallation disc. After setting loose the repair function, everything works. However, I am concerned that I will still have something malicious lurking about my computer.

Is there anything else I need to do to make sure my computer is clean? I run AVG and Spyware Terminator for virus/spyware protection.

A different kind of malware test

tdreyer1 — Wed, 04 Apr 2007 17:34:18 -0800

I need help finding an online security quiz I took a year ago or more... I seem to remember an online security quiz that had pictures of certain websites and had you compare two offering similar services. The thing was one of them would give you spyware while the other was good. My google-fu is failing me and I cant seem to find this anywhere.

Windows 2000 box reboots on dial up

PenDevil — Wed, 14 Mar 2007 00:47:44 -0800

How can I repair a Windows 2000 box that reboots upon dialling up to the internet? My mother-in-laws Windows 2000 box has started rebooting when it dials up to her ISP. I suspect some virus/spyware has managed to get it's claws into the system and is being activated when it connects to the internet which then causes a reboot due to some incompatiable/malicious code.

I've downloaded the latest versions of AVG/Ad-Aware/Spybot S&D and run them and they found a few problems and cleaned them up but the rebooting still occurs.

Is there an easy way to repair this system? I have the Windows 2000 installation disks. I also have a OEM copy of Windows XP that has yet to be installed. If I upgrade from 2000 to XP would that work? Will it import all her settings/passwords across?

I'd prefer not to wipe the machine clean if I can avoid it due to her not knowing what her various passwords are (dial-up, email, internet banking).

Legal recourse for computer espionage in Canada

pandaharma — Tue, 13 Mar 2007 11:06:30 -0800

Canada and Computer Espionage: What legal recourse is available in this situation? To make a long story short, I have a close friend in Toronto who once had a long relationship with a prominent lawyer there. Despite the fact the lawyer eventually married someone else, he can't seem to let my friend go and has become verbally abusive to her.

Because they had two children together, he still comes to her house on a regular basis and is sometimes left alone in her house with the children while she works or runs errands. On one of his recent visits, he installed some spyware (a keylogger and something which allows remote access). She knows he has done this as he's admitted he's spied on her and has used the information from the spyware as fodder for his many temper tantrums.

And apparently the spyware doesn't only report to the lawyer. The backdoor in her computer has also led to identity theft and loss of funds in her bank accounts.

While it would be possible to clear out this spyware, I've suggested to her that we keep it on the system temporarily. as evidence for possible legal action, if that becomes necessary.

But I'm pretty clueless as to Canadian law. Is this a prosecutable offense in Canada? If so, would a preserved hard drive, a journal kept of the things he's said, and bank records showing the theft be sufficient evidence? As far as I know, there are no other witnesses other than her small children.

And, I know in the US, most states would disbar a lawyer upon conviction and the lawyer would be under a cloud just from the charges. Would this be the case in Canada?

Thanks in advance. I know ultimately she needs to get a lawyer of her own, but she's trying to avoid that as long as possible because of her ex's status in the legal community. So I wanted to know if she's on the right track with her actions or if this is a fruitless endeavor.

How to safely run Windows on a Mac?

raf — Sun, 18 Feb 2007 22:04:12 -0800

What do I need to know in order to safely run Windows on my Mac? I've used Macs forever and gotten used to not being scared of viruses, spyware, &c. When I do use Windows, it's on a work computer that's secured by a not-incompetent IT staff. I've never done the secure-your-Windows-machine thing on my own.

I want to install Windows (probably XP, but perhaps Vista) on my Mac using Parallels. What do I need to do to keep that installation safe from bad guys lurking on the Internets?

Adware everywhere

Venadium — Wed, 07 Feb 2007 13:53:51 -0800

Please help me get rid of this spyware infection before I just give up and re-install Windows. My PC is infected with what seems like at least 2 or 3 different varieties of spyware/adware/malware. This started happening a day or two ago after someone else in the house fell for a MySpace bulletin posted under someone else's phished/hacked account. I hardly ever actually use my PC so I didn't notice until this morning.

I've got a small blinking icon in my taskbar that alternates between an X in a circle and then a question mark. It pops up little messages about "Critical System Errors!". From what I understand, this is a malware program named VirusBurst.

The most noticeable problem though is whatever that's installed on here and is opening Firefox windows to various ads and webpages. It happens in bursts, up to 4 or 5 popups at a time, and seems to happen randomly. While typing this, it's only happened once, but in the time it took to get over to AskMefi it happened 2 or 3 times.

The worst part of all of this is that there seems to be yet another malware program that closes Lavasofts Ad-Aware or SpyBoy S&D before they even start. It will also close any browser window that I use to try to search for Ad-Aware or any other spyware removal tools. This is supposed to be something called CoolWebSearch, but every tool I try which is supposed to remove CoolWebSearch claims that it can't find it on my system.

So what can I do, other than giving up and reinstalling Windows (along with all the software and games that are currently installed)? I can post a HijackThis log if anyone asks for it.

Help me find out if someone is spying on my computer

RustyBrooks — Thu, 04 Jan 2007 10:08:23 -0800

Can you help me diagnose if someone is spying on my computer? I think there is some kind of spyware installed on my computer, and I somewhat suspect that there is an actual person using it to spy on my (as opposed to generic spyware that is sort of a bot sending info about me somewhere).

(Note, my computer is a Win XP machine)

I first noticed that sometimes my cursor would jump around kind of suspiciously, jumping often to the start menu location or maybe one of the other corners of the screen. There are a few other symptoms but no point in going into it here. I started poking around, starting first with the normal standard tools. HijackThis, AdAware, Spybot Search and Destroy, etc. Not much is coming up.

I do an nmap from a trusted computer on the computer I think is being spied upon. I do a TCP and UDP scan and here are some select entries:

1664/udp open|filtered netview-aix-4
1666/tcp open netview-aix-6

A quick google search shows that this is usually some kind of network monitoring program. Note that this doesn't necessarily mean that's what is running on that port... I telnet to that port and I get:

TTxfiles5server3server220revver5nocasefunprotocol

No idea what this is supposed to be.

Of course, my network is fairly locked down so I don't think anyone can GET to this port from outside, but I think it might indicate that something nefarious is running, and that nefarious thing might connect from my network to some other computer somewhere.

There is also something running at port 8080. 8080 is usually a web proxy port but I don't think I have anything running which would qualify as a web proxy.

I have a lot of experience with computers and a decent amount of experience with computer security. I'm hoping someone can help me find out what might be running on my computer (if anything), how to get rid of it, and, to my mind, how to find out who or what it is.

As sort of a caveat/afterthought... I play poker to supplement my income (it amounts to about 1/4 to 1/3 of my total income) so if someone is watching me, this would be very, very bad, and honestly, I've had some reason to believe that someone might be watching me, in this regard.

I've started doing ethernet packet capturing both on the affected machine and on the network as a whole, and I hope to find something in that. There's an awful lot of data to go through, though.

Unwanted Connection

IronLizard — Sun, 24 Dec 2006 05:53:53 -0800

Something verycurious is going on in the bowels of my PC. (Warning: Don't bother going to the URL, it's very spammy)

Some time ago netstat revealed and open connection to verycurious.com. Further investigation with netstat -b revealed that my shell, litestep, was the source of the connection, (though it's probably a DLL running it). Googling it found this forum post, but my search pages haven't been hijacked. Blocking it with my hosts file failed because it changed to s3a.verycurious.com. I then blocked this in hosts and it's still there after re-booting.

What gives? I've done grep style searches of the hd, searched the registry and come up blank. Why is this connection present? Who is it? Does anyone else have it?
(The obvious eg. spyware scans, hijackthis, antivirus and rootkitrevealer have all been done multiple times along with most of the things in that thread)

Running WinXPSP2, Sygate pers firewall pro, ewido, and avg. With sysinternals process explorer as task manager.

Is a P2P download safe?

chef_boyardee — Sun, 08 Oct 2006 18:45:04 -0800

Two-pronged question: (1) How common are virus/spyware-infected applications on P2P, assuming the filesize is big (50+ MB) and it's not one of those stupid 50 KB bait files? (2) Are there any good free or shareware virus scanners that are especially designed to examine the contents of executable setup programs? Most protection programs just look at existing files on a hard drive. Short background story on this:

(1) I always buy software, but in this case I found a useful application that hasn't been on the market for awhile, even as an upgrade.

(2) Last time I tried buying a virus protection system with Mcafee or Norton (not sure which), it was offered only as a service that required renewal. Given all the fine print on their site I had a hunch that they were going to sign me up for stuff I didn't want and make it a PITA to cancel.

Thanks.

Does the music industry sponsor spyware companies ?

jacobean — Fri, 29 Sep 2006 11:23:09 -0800

Does the music industry sponsor spyware companies ? I was speaking to an elderly neighbour recently who really said something that got me thinking.

I told him loads of people don't have to buy music anymore as you can just download it free from the internet. We got talking about the internet etc.

He then said to me "It's obvious whose making this spyware stuff then - the music industry isn't it ?"

Well doesn't it make perfect sense. People who download music get their computers so slow they can barely function. The ultimate anti-dote to downloading "free music" - so is it the music industry who finances the production of spyware ?

Can you suggest me some security software which supports remote management

empedia — Thu, 28 Sep 2006 06:37:19 -0800

I have recently started a new job in charge of IT in a small lab <10 people. A while back the lab was badly hacked into and data etc. was lost (there is evidence this was an inside job btw). As part of my remit I am in charge of making sure this doesn't happen again. The company has a site license for anti-virus software so that is not an issue however we currently have no anti-spyware, personal firewall or rootkit / trojan detector etc. What I'm looking for is one or more products which I can install on the user's workstations which are effective in these areas. The most important point apart from actually working of course is that I can centrally administer the software and monitor what is going on - edit firewall rules etc. So what products would you recommend that might satisfy these requirements. Oh yeah all users including myself are running Windows XP so cross platform is not a problem.

Computer Protection Over-Kill

Smarson — Thu, 24 Aug 2006 11:08:37 -0800

What are effective anti-virus and anti-spyware programs that work in harmony? I recently attempted to save a relative's computer from the depths of virus and spyware hell (a foolish attempt, I know) and not only failed, but also managed to turn the laptop into an authoritarian regime of "you sure you wanna execute that program???" x infinity.

Needless to say the computer's hard drive will undergo a reformatting shortly (what I should have done in the first place). However, once that is completed, what melange of anti-virus and anti-spyware programs should I look into that will play nice together?

Here is a list of programs I had running simultaneously which not only bogged down the poor laptop's processor, but also objected to nearly everything you tried to do on the computer except empty the recycle bin.

*ad-aware - Love this program and have used it since college

*Spybot - Search & Destroy - Had heard good thing about this program but never used it until recently

*ewido anti-spyware - This was something I found recommended here on AskMeFi, but it would often go nuts when activated and want to go total war on everything from temp files to cookies.

*smitRem - Was using this to try and get rid of the dreaded SpywareQuake

*ToolBar Cop - Was instructed to use this in combination with smitRem to get rid of SpywareQuake

*Kaspersky Anti-Virus 6.0 - Downloaded this also on suggestions from MeFi users and it too seemed to like to freak out attack anything that moved. It seemed a little trigger happy and actually deleted some executables that disabled explorer (I've since sold said relative on the glories of firefox).

*ClamWin Anti-Virus - I'm a huge fan of opensource stuff and I'd heard raving reviews about this program so I added it to the party. I think it does a great job, but it's scans took for.ev.er. I left it on over-night and still had to wait until noon the next day. Ever more frustrating, once it was finished, it didn't give an option to delete the identified threatening files (at least no option I could find).

Bottom line: With the newly reformatted hard drive, what combination of these (or other programs) could I use to combat spyware/ malware and protect against viruses without sparking a turf war?

How do I get rid of this email virus?

fvox13 — Mon, 14 Aug 2006 06:39:16 -0800

I'm at my wit's end trying to remove this virus! My boss brought in his computer (WinXP Pro SP2) for me to work on, complaining of popups and such. I ran scans with Norton, AVG, Avast!, AntiVir, Spybot, AdAware, and Stinger, but it's still infected with something. I even tried creating a new profile and copying over his documents... that didn't work either.

Within minutes of plugging in a network connection, it attempts to email hundreds, if not thousands, of emails. Most of these are being sent to hotmail accounts, and they seem to have a subject line of "fledge". I wouldn't even know these emails were being sent if he didn't have Symantec Email Proxy installed. I could uninstall it, and it would fix the popup issue, but the computer would still be infected with something.

I've tried to find a site where you can search viruses by symptom, but so far I haven't been able to find one. Does anyone have any suggestions for either removal or where I could research this further?

"The web is with you, young Skywalker. But you are not a Jedi yet."

EatTheWeak — Fri, 11 Aug 2006 10:23:21 -0800

"I want to come with you to Redmond and learn the ways of the Registry. I want to be Teh Haxorz, like my father before me." Good morning, hive mind. I have grown tired of the stressful life of a noob technochondriac, and seek self-education that will allow me to use my computer with confidence.

With the help of three dear friends, I built a powerful PC. My friends with know-how have already gone above and beyond in helping me learn my way around Windows. I've no wish to trouble them further with my ignorance and panic. My computer has slowed a bit from lunging, mercurial machine it was in the first weeks after assembly. I open the task manager and examine the Processes list, but really don't understand what I'm looking at. Is that stack of "svchost.exe" a spyware cell or a routine process? Without straining the patience of my friends, I have no way to know for sure.

So self-reliance is the answer. I've heard tell that mastering the arcane art of The Registry is the key to supremacy for Windows XP. I've also heard that this is a most dangerous place to meddle. Please, mefites, if you can think of a web resource on registry management written with the beginner in mind, I would very much like to begin my training. Being that I'm a luddite at heart, I'll even settle for a book.

Useful pieces of registry manipulating software are also appreciated, but I'm more interested in developing the knowledge that will help me appraise a program's usefulness for myself.

My main aims are to get my computer running at peak efficiency, tightening up security by learning how to spot malware's machinations and the ability to spot and correct anamolous behavior before serious damage is done. A tall order, I know, but I've seldom seen this forum stumped.

Your time and input is deeply appreciated.

Anyone found my spyware?

Postroad — Fri, 26 May 2006 08:11:49 -0800

Where does my spyware go? I go to many sites on the net, searching for links for my daily blog. At the end of the day, and because I am using my son'slaptop now--he wants to keep IE Explorer as browser--I run a scan and delete some 20 or so pieces of spyware. Si.nce I post throughout the day before scanning, does this spyware get past on to viewers opening links at my site? Or are they kept at my site till removed.

downloads sans spyware?

delmoi — Fri, 19 May 2006 22:19:53 -0800

Is there anywhere I can download software shareware and cost-free software with the assurance that it's spyware free? I've always kept my computer completely spyware free through a strategy of pretty much not downloading anything off the internet that wasn't open source or anything else I could be certain wouldn't contain spyware. But obviously I'm missing out on a lot, and there's at least one thing I need but am worried about downloading (something to convert .bin/cue files to .isos, or burn them. I have an old copy of Nero, but it doesn't recognize my DVD-R drive).

Are there any sites out there that offer 'spyware free' shareware programs? Trying to google for this gets me tons of links for anti-spyware software