Re: [PCWorks] [SPAM] Re: How do I get this out of my system tray?

  • From: LarryB <larryb227@xxxxxxxxxxxxx>
  • To: pcworks@xxxxxxxxxxxxx
  • Date: Tue, 19 Aug 2008 09:13:45 -0400

I don't see anything that says I can get updates to Sygate.

I did the immunization thing with SB and also with Spyware Blaster.
I don't see where it scans anything so it must just stop spyware from 
getting in.

My AV program might not be set correctly either. If not then I be back 
to get advice on what's good.

I use to have Zone Alarm but it seemed with every update things got 
slower so I dumped it.

Now I understand that ZA's firewall it in the top 10.

I'm printing these emails out so if I lose the ability to reach the 
Internet I will still have these emails.

I am getting a yellow triangle with System performance monitor 
warnings and don't know if it is the Trojan telling me or my legit 
system telling me. It suggests I click the balloon to download spyware 
so it is probably bad.


Larry Browning
K & L Electronics
Anderson, SC



Clint Hamilton-PCWorks Admin wrote:
> SB is free, that's their only version.  So can you get updates 
> for Sygate?
> 
> This is probably your problem: iebtm.exe & iebtmm.exe, these 
> are backdoor Trojans.
> http://www.fileresearchcenter.com/I/IEBTM.EXE-13001.html
> http://www.bleepingcomputer.com/startups/iebtm.exe-23379.html
> http://www.greatis.com/appdata/d/i/iebtmm.exe.htm
> http://www.bleepingcomputer.com/startups/iebtm.exe-23379.html
> Do a search on them for more info and how to remove it. 
> Obviously AVG missed it and I would use another AV program.
> 
> I wanted to post that now ASAP, I'll go over the rest next.
> -Clint
> 
> God Bless
> Clint Hamilton, Owner
> http://www.OrpheusComputing.com
> http://www.ComputersCustomBuilt.com
> 
> 
> ----- Original Message ----- 
> From: "LarryB"
> 
> I may be going off the air as I am getting many warnings.
> I will have to bring my computer from home to continue all I 
> can.
> 
> I am using the free version of SB and Sygate.
> 
> I am also using FF and did what you said in blocking thru 
> adblock in FF.
> 
> I have tried to run a virus scan but it takes hours. (using 
> AVG)
> 
> I'll download spyware blaster now also and run it.
> 
> 
> 
> I have run HiJackthis and here is the print out.
> 
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 10:53:40 AM, on 8/18/2008
> Platform: Windows XP SP3 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
> Boot mode: Normal
> 
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Sygate\SPF\smc.exe
> C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
> C:\WINDOWS\system32\LEXBCES.EXE
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\Explorer.EXE
> C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
> C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
> C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
> C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
> C:\WINDOWS\system32\nvsvc32.exe
> C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
> C:\WINDOWS\system32\svchost.exe
> C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
> C:\Program Files\Applications\iebtm.exe
> C:\Program Files\Applications\iebtmm.exe
> C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
> C:\Program 
> Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Logitech\MouseWare\system\em_exec.exe
> C:\Program Files\WordWeb\wweb32.exe
> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
> 
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page 
> =
> about:blank
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page 
> =
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyOverride = localhost;<local>
> R3 - Default URLSearchHook is missing
> O2 - BHO: Adobe PDF Reader Link Helper -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
> O2 - BHO: (no name) - {300CF5C9-F02D-4CB8-ABED-9C229DA56825} -
> C:\Program Files\Applications\iebt.dll
> O2 - BHO: Spybot-S&D IE Protection -
> {53707962-6F74-2D53-2644-206D7942484F} - C:\Program 
> Files\Spybot -
> Search & Destroy\SDHelper.dll
> O2 - BHO: SSVHelper Class - 
> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
> C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
> O2 - BHO: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} -
> C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
> O2 - BHO: SpyWarningBHO Class - 
> {F58FF278-2198-403b-9170-C95022A194C6}
> - C:\Program Files\ASpyC\SpyWarning.dll (file missing)
> O3 - Toolbar: PrintMe - 
> {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} -
> C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
> O3 - Toolbar: Internet Service -
> {254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Program
> Files\Applications\iebr.dll
> O4 - HKLM\..\Run: [SmcService] 
> C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe 
> /STARTUP
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> C:\WINDOWS\system32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
> O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
> C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
> O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
> O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program
> Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe 
> /auto
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program
> Files\Applications\wcs.exe
> O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program
> Files\Applications\iebtm.exe
> O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
> C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL 
> SERVICE')
> O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]
> C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK 
> SERVICE')
> O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]
> C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
> O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]
> C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default 
> user')
> O4 - Startup: WordWeb Pro.lnk = C:\Program 
> Files\WordWeb\wweb32.exe
> O8 - Extra context menu item: &WordWeb... -
> res://C:\WINDOWS\wweb32.dll/lookup.html
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: (no name) - 
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
> - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
> Files\Java\jre1.6.0_02\bin\ssv.dll
> O9 - Extra button: (no name) - 
> {9034A523-D068-4BE8-A284-9DF278BE776E}
> - http://www.iexplorerfiles.com/redirect.php (file missing)
> O9 - Extra 'Tools' menuitem: IE Anti-Spyware -
> {9034A523-D068-4BE8-A284-9DF278BE776E} -
> http://www.iexplorerfiles.com/redirect.php (file missing)
> O9 - Extra button: Research - 
> {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
> O9 - Extra button: (no name) - 
> {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
> - (no file)
> O9 - Extra button: (no name) - 
> {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
> - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy 
> Configuration
> - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program 
> Files\Spybot -
> Search & Destroy\SDHelper.dll
> O9 - Extra button: (no name) - 
> {e2e2dd38-d088-4134-82b7-f2ba38496583}
> - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
> O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
> {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
> Diagnostic\xpnetdiag.exe
> O9 - Extra button: Messenger - 
> {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com
> Configuration Class) -
> http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
> O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} 
> (ActiveDataInfo
> Class) - 
> https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
> O16 - DPF: {4798E9EE-4524-4149-A852-2021309A579D} (WebCamX 
> Control) -
> http://74.239.177.61/WebCamX.cab
> O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} -
> http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
> O16 - DPF: {4BF2E7B7-69F4-4178-B669-257C7C8A4072} (WebCamX 
> Control) -
> http://74.239.177.61/WebCamX.cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl 
> Class)
> -
> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684550851
> O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl 
> Class)
> -
> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201700846590
> O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} 
> (InstallShield
> International Setup Player) -
> http://www.broderbund.com/IFW/Cabs/isetup.cab
> O16 - DPF: {9107A82A-248A-49E5-A7D2-4E12EAAD4DC2} (WebCamX 
> Control) -
> http://69.15.111.218/WebCamX.cab
> O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj 
> Class)
> - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
> O16 - DPF: {95A161E7-F130-4BB6-A4A1-4241FD68B9ED} (WebCamX 
> Control) -
> http://74.239.177.61/WebCamX.cab
> O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller 
> Class)
> -
> http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.277069091796875&file=stamps.cab
> O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader 
> Class) -
> https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
> O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
> https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
> O20 - Winlogon Notify: avgwlntf - 
> C:\WINDOWS\SYSTEM32\avgwlntf.dll
> O22 - SharedTaskScheduler: causes -
> {0fe36c74-667b-454b-828e-75e4e72cbef8} - 
> C:\WINDOWS\system32\euwoeu.dll
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, 
> s.r.o.
> - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, 
> s.r.o. -
> C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
> O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - 
> GRISOFT,
> s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
> O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
> O23 - Service: C-DillaSrv - C-Dilla Ltd -
> C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
> O23 - Service: InstallDriver Table Manager (IDriverT) - 
> Macrovision
> Corporation - C:\Program Files\Common
> Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
> O23 - Service: LexBce Server (LexBceS) - Lexmark International, 
> Inc. -
> C:\WINDOWS\system32\LEXBCES.EXE
> O23 - Service: LiveUpdate - Logitech, Inc. - (no file)
> O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 
> 7\Nero
> BackItUp\NBService.exe
> O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
> Corporation - C:\WINDOWS\system32\nvsvc32.exe
> O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc - 
> C:\Program
> Files\Visioneer\OneTouch 4.0\OtService.exe
> O23 - Service: Pml Driver HPZ12 - HP - 
> C:\WINDOWS\System32\HPZipm12.exe
> O23 - Service: Sygate Personal Firewall Pro (SmcService) - 
> Sygate
> Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
> 
> --
> End of file - 8917 bytes
> 
> Larry Browning
> K & L Electronics
> Anderson, SC
> 
> 
> 
> Clint Hamilton-PCWorks Admin wrote:
>> Just post the HJT log here and I can look at it.
>>
>> Is it the pay version of Sygate or the free?  The free 
>> version
>> has not been able to update for years because they no longer
>> have it.  They were bought out by Symantec and they trashed 
>> the
>> free version.  So if it's a version that can still get 
>> updates,
>> then it either is not set correctly, you allowed something 
>> you
>> should have blocked, or it just plain missed it.
>>
>> When you let SB (SpyBot) do the "Immunize", it automatically
>> puts sites in the Restricted Sites Zone for you.  Spyware
>> Blaster automatically does the same thing when you "Enable 
>> all
>> protection".  So you should do both of those, and if when 
>> going
>> to that cyber-terrorist website you don't see "Restricted 
>> site"
>> at the lower right area of the IE window, you need to add it
>> yourself.  Just go into IE Options, go to the Security tab,
>> click "Restricted sites" then "Sites", paste the URL in the
>> box.  If antispycheck.com is the website, then paste it in 
>> the
>> box as *antispycheck.com, www.antispycheck.com, and
>> *.antispycheck.com, any of those ways that it allows it.
>>
>> Get a load of this, as I suspected, SB won't even let me go 
>> to
>> that website!  It blocks it, so you apparently don't have it
>> setup correctly.  So after you have it setup correctly, you
>> should not even have to add it to the Restricted sites zone.
>> But in the future for other bad websites, that's how you do 
>> it.
>> (Check your Cookie folder every once in a while for strange
>> Cookies you don't recognize.  These are usually Cookies 
>> placed
>> on your PC from sites you've never visited.  These come from
>> sites that embed 3rd-party trackware/adware/malware Cookies.
>> Open them up and get the URL, paste it into your address bar
>> and go to the site.  Sometimes you may have to add the www
>> prefix to get to the site if it's not in the Cookie.  Once at
>> the site, you'll notice it's usually some bad website devoted
>> to "targeted advertising" and the like, or worse.  Then you 
>> can
>> add those types of URL's to the Restricted Sites zone and 
>> those
>> Cookies will never get on your PC again.  If you have any
>> questions about any of this, just start a new thread on it 
>> and
>> we can address it there).
>> -Clint
=========================
The list's FAQ's can be seen by sending an email to 
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.

To unsubscribe, subscribe, set Digest or Vacation to on or off, go to 
//www.freelists.org/list/pcworks .  You can also send an email to 
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line.  Your 
member list settings can be found at 
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks .  Once logged in, you have 
access to numerous other email options.  

The list archives are located at //www.freelists.org/archives/pcworks/ .  
All email posted to the list will be placed there in the event anyone needs to 
look for previous posts.
-zxdjhu-

Other related posts:

  1. Home
  2. pcworks
  3. Archive
  4. 08-2008