spy programs and such

For the past year or so I have used Ad-aware to stop all the spam stuff that i get on my comp, but lately after a fresh install I'm getting it all the time but the worst part is that I have removed one spy program three times since I reformated three days ago

Win Blaster keeps poping up and I dont know where the heck it is coming from. To make matters worse XP will pop up a box from time to time and say that I/another program as request a connection to a random IP or internet site.

I'm on a modem, but I never had this problem before I formated. Heck right now I would be happy if I could just stop XP from asking me to connect to the internet because some program needs it too.


Thanks again all, I must say that I have found a ton of usful information from these boards.

 

What kind of firewall and AV protection do you have? You should be able to configure your firewall to only permit legit internet access. AdAware will detect Spyware, but has nothing to do with viruses and worms.

Have you run any online scans?
Symantec
http://securityresponse.symantec.com/
Panda
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Housecall http://housecall.trendmicro.com/
Kerio http://www.kerio.com/kpf_home.html

Johanna

 

After you do the online scans, post a HijackThis log on here. The link is below.

 

Ok I used HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 12:00:25 AM, on 3/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Karna\Razer\razertra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Karna\Razer\razerofa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Dustin Hughson\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [razertra] C:\Program Files\Karna\Razer\razertra.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC922BE3-A0B6-439D-92D2-4B7D47DBB36D}: NameServer = 69.66.0.20 69.66.1.20

I also downloaded the trail version of AVG. would I need to get Spybot if I have Ad-aware though?


BTW - thank you for all of your help.


EDIT - since the hijackThis log I ran AVG and it found these things as well

C:\WINDOWS\SYSTEM32\WINHLP~1.EXE repaired
C:\WINDOWS\SYSTEM32\ZSOFT32.EXE repaired
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\CONTENT.IE5\A07NZ399\WKSPAT~1.EXE repaired

 

zsoft32.exe, WINHLP~1.EXE, and WKSPAT~1.EXE are all files associated with worm/trojans. More specific possibility is some varient of "Agobot ". You need some deep virus scanning as suggested by Johanna.
NOTE*These files seemed to have been repaired. I don't know if that means they are not harmless because any malcious code has been removed from them, or repaired as in fully functional "Nasties ". Further more Agobot is one of those guys that if not cleaned "properally and thoroughly" along with any security updates and precautions taken to prevent this type of infection, it can and will rebound or reinfect.


These are google hits just on zsoft32.exe alone :
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_AGOBOT.HO&VSect=T

http://www.google.com/search?sourceid=navclient-menuext&ie=UTF-8&oe=UTF-8&q=ZSOFT32.EXE

=========
wkspatch(1).exe possibility:
http://www.computercops.biz/posts20124-0.html

 

Yeah the "Agobot" stuff was found by AVG and removed so that is a good thing.


the things that still worries me is this morning i got up and opened my laptop and XP poped up another msg saying that I or a program is requesting a connection to some site I have never been too. THen in the window it is asking me to pick my connection.( I "m on a 56k so it is asking me if I want to use that connection and dial in)

I never had this pop up at all before ever since I have own my laptop(2 years this July). Right after that poped up I did a Spyware and Ad-aware check then did AVG. None of them found anything.

I would love for that box to just stop popping up, but would be even more happier if I knew what was trying make my computer connect

 

I'd be nervous also. It sure sounds like a virus file is calling home for an update to it's executibles. I told you these guys can be sneaky/tricky about self preservation.

For example:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101025

How about renaming the three files previously detected as infected but fixed. Further more I would just delete the interternet temp wrkspatch(1).exe. Correction! All IE tmp, Cookies and History.

 

If this box is popping up on your desktop, you may need to disable Windows Messenger Service.

Admin Tools> Services> scroll to "Messenger ", right click, properties and disable.

For more info: here

Johanna

 

isnt messenger I always disable that. It happened to be the Auto-dailer, which I think I have fixed now, I guess I'll find out for sure when I reboot again.

The only then I can think of is that I had a few webpages when I dissconnected and closed my laptop and when I opened it again in the morning one of the pages needed somthing for a ad... It is a stretch but the only thing I can think of.



Last but not least, how important is it to update XP with services packs, it takes forever just to download stuff, but I guess I should just do it huh?

Also is it a good idea to turn on the XP firewall?

 

Most important for at least the security patches!!!! These plug up the flaws or holes that leave you vulnerable to just such infections as "Agobot ". They take advantage of these flaws in the unpatched files and routines Windows uses .

Many of the updates (in combination with other security measures) help to close the window these guys use to get in, at least until the next variant rolls around that has figured out how to either jimmy the lock or get into another window....Hence the phrase Keep up on the current updates

Depending upon your surfing habits and/or the Toy_apps (ICQ) you use, the Net has become an extremely high risk and hazardous place. You need a bazooka not a watergun.

 

ANY firewall is better than no firewall. You shouldn't even connect to the internet without one!

 

I have been using Sygate Personnal Firewall 5.5, free and very easy to use, seems to work quite well. Just a thought.
http://www.simtel.net/product.download.mirrors.php?id=53687

Houston

 

C:\Program Files\Karna\Razer\razertra.exe
C:\Program Files\Karna\Razer\razerofa.exe

What is this program ?
A mouse ?
http://www.razerzone.com/products/
I wonder if the other forum members found any info ?

I couldnt find much and what I did find , three hit's on google one of witch contained a virus, "js/psyme "


I hope you took Johanna's suggestion and got a free online
and avg to.

Might post another log if any problems pop back up.

 

===edited out===
Bah!!! On second thought...My 2 cents is not needed.

 

Ann,

I have always found your 2 cents to be worth about $100