Spyware problem.

[Asuka]

Just today i turn on my comp and i have this icon that gives me a mesg every few mins about having spyware. Now i know that mesgs is FROM spyware but i cant seem to find whats causes it.

I used:

Ad-aware 6.0
Spybot - Search & Destroy
HijackThis

All of them found different things and i removed all. Here is the report i got from HijackThis.

================================================

Logfile of HijackThis v1.98.2
Scan saved at 8:38:52 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\jawa32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\AIM\aim.exe
C:\program files\steam\steam.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\Files\Programs\HijackThis.exe

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
R3 - URLSearchHook: US Class - {D6C296DE-402D-417f-9D10-431273FE15A5} - C:\WINDOWS\System32\ndsfc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINDOWS/sys.reg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [accweb] C:\WINDOWS\Help\accweb.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [JF8] C:\WINDOWS\wfele.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [ouek] C:\WINDOWS\Yetqlq.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [javkjj] C:\WINDOWS\Jlaujo.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [wmv] C:\WINDOWS\System32\winmonv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O18 - Protocol hijack: mhtml -
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\System32\lmf32v.dll

 

[63]

Looks like a standard windows notification bubble to me

 

[Hazar]

yeah, looks normal to me, try turning off windows security and see what happens

 

[Asuka]

This fixed all my problems.

http://www.microsoft.com/downloads/...a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

Very good program by Microsoft.

 

[VirusType2]

yea the microsoft spyware actually works.

Its great.

There was a thread on this forum where I learned about it you must have missed it.

Anyway too bad it won't be free forever. I was under the impression that microsoft was investing in internet security to implement into WindowsXP and beyond.

but somehow I have a feeling you have to buy it.........anyone?

 

[Asuka]

Maybe. I think its going to come wiht future windows updates.

 

[oni_666]

You might try turning off some off the crap in your start up folder, to improve performance,etc.
you can do most if not all of this by typing into "run" the word "msconfig" and going to startup, also using administrative tools, select services and disable programs from starting by right clicking on the program or service and select disable from the drop down box, these programs I've highlighted outta your running processes are safe to disable, and will free up essential resources.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe--- **
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe---DISABLE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\jawa32.exe
C:\Program Files\QuickTime\qttask.exe---DISABLE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe-- **
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe-- **
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe---DISABLE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe--DISABLE
C:\Program Files\AIM\aim.exe
C:\program files\steam\steam.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe---DISABLE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe---DISABLE (this is windows updates which can be done manually).
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\Files\Programs\HijackThis.exe

The programs I've marked with **, are your printer drivers, If you don't print that often you can put these to manual and only start/enable them if you actually want to print anything, thats what I do.

These startup programs combined (pardon the pun) probably use 20mb of free resources, does'nt sound like much, but when your running HL2 on max settings and need every free bit of memory to do this, then disabling any background programs or none essential processes can only help run things a little bit better.

 

[Asuka]

You might try turning off some off the crap in your start up folder, to improve performance,etc.
you can do most if not all of this by typing into "run" the word "msconfig" and going to startup, also using administrative tools, select services and disable programs from starting by right clicking on the program or service and select disable from the drop down box, these programs I've highlighted outta your running processes are safe to disable, and will free up essential resources.


The programs I've marked with **, are your printer drivers, If you don't print that often you can put these to manual and only start/enable them if you actually want to print anything, thats what I do.

These startup programs combined (pardon the pun) probably use 20mb of free resources, does'nt sound like much, but when your running HL2 on max settings and need every free bit of memory to do this, then disabling any background programs or none essential processes can only help run things a little bit better.

Thx a lot, appreciate it. :thumbs:

 

[Laivasse]

Just to clarify what your original problem actually was: I suffered from the same thing and it turns out that it's a Windows service which is apparently very vulnerable to being exploited by hackers. If you go to control panel>admintools>services and then locate "windows messenger" service (different from msn or any chat prog) and turn it off, the messages will stop. Microsoft Antispyware recognises the problem and deals with it too.

What is curious is that I'm not quite sure what sets it off in the first place. I formatted my HD the other night and stupidly went on the net with MSN before I had reinstalled my firewall. Amazingly I had only been on the net a matter of seconds, without browsing any sites, and all I had done was try and reestablish my login in MSN - and the same stinking Windows Message bubble popped up again. Beware MSN.

 

[Asuka]

Just to clarify what your original problem actually was: I suffered from the same thing and it turns out that it's a Windows service which is apparently very vulnerable to being exploited by hackers. If you go to control panel>admintools>services and then locate "windows messenger" service (different from msn or any chat prog) and turn it off, the messages will stop. Microsoft Antispyware recognises the problem and deals with it too.

What is curious is that I'm not quite sure what sets it off in the first place. I formatted my HD the other night and stupidly went on the net with MSN before I had reinstalled my firewall. Amazingly I had only been on the net a matter of seconds, without browsing any sites, and all I had done was try and reestablish my login in MSN - and the same stinking Windows Message bubble popped up again. Beware MSN.

Reformatted and the problem was fixed. Now im getting those GRAY messages. Ill post a screen later. They are always different.

Oh and i dont have a virus, these mesgs. come up the 2nd i reinstalled windows. Always happens but i forgot how to get rid of them.

 

[Laivasse]

Hmm, that problem will be fixed by turning off the windows messenger service in admin tools/services like I said before. What confuses me is that it looks *very* much like a spyware message. I can't imagine microsoft telling you to go to a 3rd party site, and Windows certainly isn't so helpful that it just casually detects and tells you about virus infections. Like you said, you just reinstalled, so you shouldn't have a virus.

Incidentally it's exactly the same window I got (there are a few variations). It only pops up after you connect to the net iirc. I saw an article on the net concerning that grey box thing, and apparently it is very vulnerable to exploitation by hackers. Effectively anyone can make messages popup on your computer saying anything. I couldn't figure out how to get rid of it because it stays with you even when all your spyware is gone. Eventually I did control panel/services/admin tools>switched off windows messenger, as the article told me and all is fixed. Microsoft Antispyware beta (try google for a download) stops anything fiddling with the messenger system in the first place, which also stops the problem.

It is NOT a message from Windows.

EDIT: In my other post I actually misunderstood the problem you were having when you first posted.The problem I was talking about then, is actually the problem you didn't have, but have now. Mm?

 

[Asuka]

Thx for all the help.