Re: [PCWorks] How do I get this out of my system tray? (final)

• From: LarryB <larryb227@xxxxxxxxxxxxx>
• To: pcworks@xxxxxxxxxxxxx
• Date: Sun, 31 Aug 2008 08:22:55 -0400

I finally got this problem resolved and this is a follow up to the list.
I ran several malware program including, SuperAntiSpy and Malwarebytes 
Anti-Malware, they found the most of the problems. I have screen shots 
of what they found but I do not think I am allowed to put screen shots 
on the list.

I uninstalled AVG and Installed Avast free and it found another 
Trojan-gen.

I ran CCleaner several times also. It is now running well. Apparently 
the malware was also causing the system to freeze each night. That has 
also stopped.

I think much of this was caused by not having Spy-Bot set up correctly 
  as I didn't have my system Immunized and I did not have a "file set" 
setup. I do now.

Thanks for all the help.

Larryb

This is my HiJackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:28 AM, on 8/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtMonEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Larryb\Desktop\Download\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 
http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60287
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
http://www.comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = 
http://www.crawler.com/search/ie.aspx?tb_id=60287
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = 
http://dnl.crawler.com/support/sa_customize.aspx?TbId=60287
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - 
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - 
{53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - 
C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - 
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program 
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {F58FF278-2198-403b-9170-C95022A194C6} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE 
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE 
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program 
Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program 
Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program 
Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program 
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search 
& Destroy\TeaTimer.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - 
res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - 
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} 
- C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 
Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - 
C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} 
- (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} 
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - 
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} 
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - 
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network 
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} 
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - 
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com 
Configuration Class) - 
http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo 
Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {4798E9EE-4524-4149-A852-2021309A579D} (WebCamX Control) - 
http://74.239.177.61/WebCamX.cab
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - 
http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {4BF2E7B7-69F4-4178-B669-257C7C8A4072} (WebCamX Control) - 
http://74.239.177.61/WebCamX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) 
- 
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684550851
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) 
- 
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201700846590
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield 
International Setup Player) - 
http://www.broderbund.com/IFW/Cabs/isetup.cab
O16 - DPF: {9107A82A-248A-49E5-A7D2-4E12EAAD4DC2} (WebCamX Control) - 
http://69.15.111.218/WebCamX.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) 
- https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95A161E7-F130-4BB6-A4A1-4241FD68B9ED} (WebCamX Control) - 
http://74.239.177.61/WebCamX.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) 
- 
http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.277069091796875&file=stamps.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - 
https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - 
https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O20 - AppInit_DLLs:  C:\WINDOWS\system32\guard32.dll 
C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program 
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL 
Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program 
Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program 
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program 
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - 
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown 
owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision 
Corporation - C:\Program Files\Common 
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - 
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Logitech, Inc. - (no file)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero 
BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA 
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc - C:\Program 
Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8673 bytes



Larry Browning
K & L Electronics
Anderson, SC



Clint Hamilton-PCWorks Admin wrote:
> I can't find your post now, but yesterday you asked about 
> Spyware Blaster and SpyBot and how they block things.  I forgot 
> to answer that in my reply.  I thought I already said this, but 
> Spyware Blaster does not have to be running in the background, 
> in fact, it can't.  It works by simply placing thousands of bad 
> URL's and websites in the browser's Restricted Sites zone (FF 
> too), and using thousands of registry tags, downloaded program 
> files blockers, hosts file protection, etc., etc.  All these 
> things prevent its detected malware from ever getting on your 
> PC.  You have to be sure to "Enable all protection" with it, 
> and be sure to make backups with it.  It can make a "System 
> snapshot", and backup important things that can be restored.
> 
> SpyBot does it BOTH ways.  In addition to what Spyware Blaster 
> does (using the "Immunize" button), it has two 'scanners' 
> so-to-speak.  One is some kind of DLL, "Resident SD Helper" 
> that blocks all downloads from sites in its database.  You did 
> not have it active, because like I said yesterday, I couldn't 
> even get to that website, it blocked me from it.  The other is 
> a great one, "Resident TeaTimer" which DOES have to be running 
> in the background.  It shows in the System Tray.  This protects 
> you from things being added to the Start Up folder, and that 
> "Run-" area in the registry where things are added to startup 
> in Msconfig's area, as well as many other forms of protection. 
> NEITHER of these are checked by default, you have to check both 
> boxes in SpyBot's Tools > Resident area.  Like a firewall, 
> TeaTimer will ask if you want to allow or deny action it 
> detects, and if you want it to remember the action.  Then 
> there's also the "IE Tweaks" area that can "Lock the Hosts 
> file........." as protection against hijacks.
> 
> None of this ever would have happened if you would have had 
> those areas active.  But, now you know. ;-)  Even if you click 
> on something bad, nothing will happen with these programs and 
> ALL of their features active (as long as the malware or website 
> is in its def's and database of course).  But both the SD 
> Helper and TeaTimer also work off of heuristics and detection 
> of suspicious behavior, so even if something is not in their 
> def's, they can still protect you from the "actions" of said 
> malware.
> 
> Regarding the firewall, regardless of how complicated they may 
> be, everyone should still use one.  Even at their default 
> settings they are still better than nothing.  Yes, like 
> anti-malware programs, one router is not enough.  I guess two 
> is enough, anymore than that could lead to conflicts.  A 
> hardware firewall (like from the router) is good for certain 
> things, but not for others.  You will also get no warnings from 
> it when it blocks or allows traffic.  A software firewall adds 
> another *configurable* layer of protection that protects 
> against far more things than just traffic.  Using both, and 
> having both setup CORRECTLY, you have the best chance of 
> protecting yourself.  It's sort of like a bulletproof vest; 
> level II is fine for most handguns (sort of like maybe the 
> router firewall), level III is fine for all but the most 
> powerful of handguns, and the new "dragon skin" type or level 
> III+ with the ceramic shield will stop anything except the .50 
> cal or magnum sniper rifles at close range, which is in a 
> manner of speaking what you want to achieve with your PC.
> -Clint
> 
> God Bless
> Clint Hamilton, Owner
> http://www.OrpheusComputing.com
> http://www.ComputersCustomBuilt.com
> 
> 
> ----- Original Message ----- 
> From: "LarryB"
> 
> Thanks for the input Hugh.
> You are probably right in that I clicked on something that 
> triggered
> this whole mess. Time pushing is often the culprit and slowing 
> down
> would be the cure.
> I have done the "immunize" in Spybot on all 3 of my computers 
> so that's
> done. I have also installed Comodo Firewall Pro on just one so 
> we'll see
> how that works. It appears to be easier to understand vs Sygate 
> so far.
> 
> 
> LarryB
> Have a great day
> 
> 
> Hugh Vandervoort wrote:
>> No firewall or router can protect you from packets you allow. 
>> You were
>> enticed, somehow, to click on something malicious, and no 
>> firewall can
>> protect from that. The only protection is to be more careful, 
>> and that's
>> not always easy as these guys are very clever (Click here to 
>> Feed the
>> Homeless!)
>> I have found home firewalls to be a source of far more 
>> irritation than
>> protection. While they have come a long way, they are still a 
>> source of
>> confusion and irritation to many, and not worth it for the 
>> average user.
>> If you haven't used Spybot's "Immunize" feature yet, I 
>> encourage you to
>> do so.
>>
>>
>> It also got by my routers firewall! I remember someone saying 
>> if you
>> have a router you do not need a firewall on your computer 
>> also. At this
>> point I might add another one then I'll have 3 of them  ;-)

=========================
The list's FAQ's can be seen by sending an email to 
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.

To unsubscribe, subscribe, set Digest or Vacation to on or off, go to 
//www.freelists.org/list/pcworks .  You can also send an email to 
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line.  Your 
member list settings can be found at 
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks .  Once logged in, you have 
access to numerous other email options.  

The list archives are located at //www.freelists.org/archives/pcworks/ .  
All email posted to the list will be placed there in the event anyone needs to 
look for previous posts.
-zxdjhu-

• References:
  • Re: [PCWorks] How do I get this out of my system tray?
    • From: Karl Springer
  • Re: [PCWorks] How do I get this out of my system tray?
    • From: Clint Hamilton-PCWorks Admin
  • Re: [PCWorks] How do I get this out of my system tray?
    • From: LarryB
  • Re: [PCWorks] How do I get this out of my system tray?
    • From: Hugh Vandervoort
  • Re: [PCWorks] How do I get this out of my system tray?
    • From: LarryB
  • Re: [PCWorks] How do I get this out of my system tray?
    • From: Clint Hamilton-PCWorks Admin

Other related posts:

• » Re: [PCWorks] How do I get this out of my system tray? (final)

1. Home
2. pcworks
3. Archive
4. 08-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---