Miner

In spite of all the programs I have running, I continue to get the MINER Tag in AdWare. It takes it out fine. Run AdWare again and it gone. Tomorrow will more than likely have it again.

As soon as I remove it, SpyWare Guard pops a window up and informs me that something has changed my homepage giving the option to accept or deny. Each time I run this the above mentioned action happens.

I captured a screen shot of the window but see no way to post it here. The page it wants to set as Home Page is: www.microsoft.com/isapi/redir.dll?prd={SUB_CLSID}pver={SU Bracket was not closed so maybe it all didn't copy.

I run AdWare frequently and if no problems are presented with this as long as I get notified of what it is trying to do, should I just forget it or is there a way to stop this from happening.

I have my Privacy Cookie Settings to Block All including Third Party. The Cookies I want are already on the PC.

 

The best way to prevent this stuff I know of is to clean up good with both Spybot and Ad-aware (in full scan mode), maybe even post a HijackThis log to confirm nothing was missed, then use the immunize feature in Spybot, install both SpywareBlaster and IESpyads.

 

noahdfear

Thanks. I do have each of what you mentioned, and the latest versions. I am a frequent checker of updates for each. I have CW Shredder in addition to the others. I do run Spybot in the Advanced Mode and Immunize it each time I get an update, which is none other than the Language Part last week. I run all programs at least twice a week, sometime more.

I have the Hijack Program downloaded but have never installed it. Maybe I should do that and someone may see what is going on.

Logfile of HijackThis v1.97.7
Scan saved at 9:45:21 PM, on 29/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mudd\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.slysoft.com/purchase.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38022.6965393519
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

 

Hello

Sounds Like this problem, http://www.lavahelp.com/articles/v6/04/05/1801.html

Privided when your IE homepage is reset its only to and ms site,
But im not sure what Adaware means by MINER's thats usualy just a cookies.

I hope Dave or the other forums members knows whats happening if its not that

 

Mudd - next time one of these things crops up, make a note of the URL for it and then from the screen shown below, use the Edit button below and put the url into the block list and you'll never see that particular one again.

Your entry should be something like bad-site.com and set to always block.

 

Newt

I think I understand what you mean. Since I post the note yesterday, I have visited a few URLs on the Net and this morning updated AdWare, ran it, got the same as MINER. As soon as I deleted it Spyware Guard gave a Pop Up window saying my Home Page had been changed etc., and gave the same address I posted yesterday. I selected no.

I visited Wilders Security Forum and was reading some things. Some guy was having the same problem as I but wasn't because of MINER but something else. They gave advice to: Install a program "ie.spyad.exe" and to add to the Registry an entry concerning "hosts" which comes as a ZIP. I download each of them and was debating whether or not to install them. The Host file stops anything trying to use the 127.0.0.1, I believe was the correct number and supposedly stops things one doesn't want. Have you heard of these?

I'll do what you said in your post and see if that cures it. I have all these so called Spyware Programs recommended by the Moderators of the SpyWare Forum in BBS, try to be careful about what I'm doing but still get this MINER thing. It's been happening since about 2 weeks ago. Each and every time I run AdWare it pops up. Spybot gives me a clear shot. Grouch's PC is doing the same thing. We've only had this problem since going Cable. Got the Updated ZA and keep Norton set on Auto Updates

Getting to be a Cruel World Out There for beginners on the Computer.

Thanks and be ready for an Exercise Demonstration on your mail today!

 

Mudd - the hosts file is an interesting thing. Simple text file with ip address and computer/domain name.

Computers find network and internet resources based on their IP. People do better with names than numbers. The Hosts file is one of the oldest methods for a PC to match up IP address and computer/domain name.

Windows (along with Unix, Linix, etc.) are designed to check the hosts file first when you try to browse somewhere. If a match is found, it is used and the PC does not look any further. If no match then other ways are tried with DNS (the main real way on the internet for doing the matching) as the last place the PC checks.

127.0.0.1 is a special address used by network cards as a loopback address. Mostly for diagnostic use but that address always points right back to the network card and will never go anywhere. So any URL matched to 127.0.0.1 in a hosts file on your PC will never be found. It is used some now as a quick and dirty way to block bad sites.

127.0.0.1 somebadplace.com
127.0.0.2 another-bad-place.net
and so on.

A couple of clever malware writers did the same sort of thing to stop folks from getting to places where there was help available.

127.0.0.1 windowsbbs.com #comment - this in your hosts file would stop you ever getting here

 

Newt

"It is used some now as a quick and dirty way to block bad sites. "

Meaning I shouldn't use the program I referenced in my previous post?

Added information about the MINER thing. I noticed that SpyWare Blaster has this site reference in my first post trying to get to Home Page as one it blocks! That appears to me that the Site Hacker item is getting by SypWare Blaster. Have checked the AdWare three times today. Each time the MINER was there. So I'll just put up with getting rid of it this way until something better comes by.

Thanks for the information.

 

Can you post an Ad-aware scan log?

 

noahdfear

I will try. If successful it will follow.

 

noahdfear

Data Miner was there again. I just removed it a short time ago. As I removed it, a pop up indicated my home page had been changed. If I don't remove it, the home page stays as it is.

The Log;


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :May 30, 2004 8:06:55 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R312 30.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


30-05-2004 8:06:55 PM - Scan started. (Smart mode)

Listing running processes
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 30-05-2004 12:23:37 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 30-05-2004 12:23:55 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 30-05-2004 12:23:56 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 18/08/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 30-05-2004 12:23:56 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 29/08/2002 11:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 30-05-2004 12:23:57 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 18/08/2001 12:00:00 PM

 

noahdfear

Second Part:

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 30-05-2004 12:23:57 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 18/08/2001 12:00:00 PM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 30-05-2004 12:23:59 PM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 12/05/2003 5:12:10 AM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 12/05/2003 5:12:10 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 30-05-2004 12:23:59 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 18/08/2001 12:00:00 PM

#:9 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 30-05-2004 12:23:59 PM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 20/04/2004 11:37:52 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 17/07/2003 4:16:38 PM

#:10 [winpatrol.exe]
FilePath : C:\PROGRA~1\BILLPS~1\WINPAT~1\
ThreadCreationTime : 30-05-2004 12:24:04 PM
BasePriority : Normal
FileSize : 176 KB
FileVersion : 6, 5, 0, 0
ProductVersion : 6.5.0.0
Copyright : Copyright
CompanyName : BillP Studios
FileDescription : WinPatrol By BillP Studios
InternalName : WinPatrol
OriginalFilename : Scotty
ProductName : WinPatrol
Created on : 06/02/2004 4:12:08 AM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 31/12/2003 5:12:32 PM

#:11 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 30-05-2004 12:24:05 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.5.10
ProductVersion : 5.3.5.10
Copyright : Copyright (c) 2001-2003, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 01/08/2002 8:14:26 AM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 06/02/2004 5:35:04 PM

#:12 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 30-05-2004 12:24:05 PM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 20/04/2004 11:43:37 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 02/12/2003 9:11:04 PM

#:13 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 30-05-2004 12:24:05 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 18/08/2001 12:00:00 PM

#:14 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 30-05-2004 12:24:06 PM
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 26/05/2004 1:06:21 PM
Last accessed : 31/05/2004 12:49:58 AM
Last modified : 17/05/2004 9:56:14 AM

#:15 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 30-05-2004 12:24:07 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 30/08/2003 12:05:35 AM
Last accessed : 31/05/2004 12:54:35 AM
Last modified : 30/08/2003 12:05:35 AM

 

noahdfear

Third and Final Part

#:16 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 30-05-2004 12:24:09 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 29/08/2003 4:14:56 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 29/08/2003 4:14:56 PM

#:17 [mainserv.exe]
FilePath : C:\Program Files\APC\APC PowerChute Personal Edition\
ThreadCreationTime : 30-05-2004 12:24:16 PM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 1, 2, 0, 0
ProductVersion : 1, 2, 0, 0
Copyright : Copyright
CompanyName : American Power Conversion Corporation
FileDescription : Battery backup management service
InternalName : PowerChute
OriginalFilename : PowerChute
ProductName : APC PowerChute Personal Edition
Created on : 06/02/2004 4:00:10 AM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 09/07/2002 6:45:12 PM

#:18 [gbpoll.exe]
FilePath : C:\Program Files\Roxio\GoBack\
ThreadCreationTime : 30-05-2004 12:24:16 PM
BasePriority : Normal
FileSize : 496 KB
FileVersion : 3.11.59
ProductVersion : 3.11.59
Copyright : Copyright
CompanyName : Roxio, Inc.
FileDescription : GoBack Autorun Menu
InternalName : GoBack Autorun Menu
OriginalFilename : Autorun.exe
ProductName : GoBack
Created on : 06/02/2004 11:40:42 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 21/01/2002 8:31:56 PM

#:19 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 30-05-2004 12:24:17 PM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 20/04/2004 11:37:37 PM
Last accessed : 31/05/2004 1:06:56 AM
Last modified : 15/11/2002 12:41:26 AM

#:20 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 30-05-2004 12:24:17 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 06/10/2003 10:16:00 PM
Last accessed : 31/05/2004 1:06:56 AM
Last modified : 06/10/2003 10:16:00 PM

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 30-05-2004 12:24:29 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001 12:00:00 PM
Last accessed : 31/05/2004 1:06:55 AM
Last modified : 18/08/2001 12:00:00 PM

#:22 [ups.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 30-05-2004 12:24:29 PM
BasePriority : Normal
FileSize : 16 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : UPS Service
InternalName : ups.exe
OriginalFilename : ups.exe
ProductName : Microsoft
Created on : 06/02/2004 12:34:54 AM
Last accessed : 31/05/2004 1:06:56 AM
Last modified : 29/08/2002 11:41:28 AM

#:23 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ThreadCreationTime : 30-05-2004 12:24:29 PM
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 26/05/2004 1:06:15 PM
Last accessed : 31/05/2004 1:06:56 AM
Last modified : 17/05/2004 9:55:26 AM

#:24 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 30-05-2004 9:06:50 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 06/02/2004 12:36:27 AM
Last accessed : 31/05/2004 1:05:21 AM
Last modified : 29/08/2002 11:41:26 AM

#:25 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 31-05-2004 1:05:21 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 06/02/2004 12:36:27 AM
Last accessed : 31/05/2004 1:05:21 AM
Last modified : 29/08/2002 11:41:26 AM

#:26 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 31-05-2004 1:06:39 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 06/02/2004 4:33:48 AM
Last accessed : 31/05/2004 1:06:40 AM
Last modified : 13/07/2003 6:00:20 AM

Memory scan result :
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
New objects : 0
Objects found so far: 0


Started registry scan
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯

Registry scan result :
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank "
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank "


Deep registry scan result :
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
New objects : 1
Objects found so far: 1


¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯


Deep scanning and examining files (C
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯

Hosts file scan result:
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
8036 entries scanned.
New objects :0
Objects found so far: 1




Performing conditional scans..
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯

Conditional scan result:
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
New objects : 0
Objects found so far: 1


8:10:54 PM Scan complete

Summary of this scan
¯Â¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯Ã‚¯
Total scanning time :00:03:58:765
Objects scanned :56869
Objects identified :1
Objects ignored :0
New objects :1

 

Let me guess. You're setting your homepage to blank??

 

noahdfear

That's correct.

 

Mudd

After supposedly get the Miner removed do you

1- Cleanout the C:\Windows\Temp folder ?
2- Delete AL COOKIES ?
3- delete ALL Temp Internet Files.

I have found that some of the things do hide things in the above folders and DO GET reactivated after a Windows re-start or when going back on the Internet.

Also once you get the System cleaned up it is a good idea to remove any and all backups that have been made.

For example;

The RB00x.cab files in the sysbckup folder in 98
And the Restore points in XP.

BillyBob

 

I forgot something else that I found awhile back

Some of the system invading nasties make a temp folder of their own . ANd I also found a erference in the RUN section of the REG pointing to the Temp folder.

It is a good idea to check for same.

This is another reason for deleting old and making new backups.

BB

 

BillyBob

Not each and every time. Usually when I run the AdWare and other things is the last thing before I turn of the PC. I have two programs that I use, PC Cleanup and HDValet. Cookies are not included but all temp folder/file, temp internet, MRUs and other things I've forgotten now are cleaned. I don't delete cookies because I only have them for the sites I need to visit, like BBS. The Privacy Settings are set to Block all, including Third Party, and accept in use or what ever that is.

 

There's a relatively new bad guy that sets homepage, search assistant, etc, etc to 'blank'. Ad-aware is targeting it and picking it up when you set your page. Sad thing is, if you exclude it and do happen to pick up the baddie, Ad-aware won't see it. Maybe something to make note of on the Ad-aware forums. Differentiating between intentional user applied 'about blank' homepage and the hijack.

 

I do this as a Habit. When on dialup, which was very slow, I had to wait when going to the internet for the page to load. If I rushed it with trying to open another link the stuff would freeze up.

I can change it to something if you think that would help. I'm on Cable now and things load quickly. Going to set something in there now. Wait an hour and run Adware to see what it finds. Thanks a lot for this help.