spyware perhaps?

[peterofware]

Hi, over the last few days i have been plagued by a series of programs trying to access the internet - stopped by ZoneAlarm. This is happening usually when I open Internet explorer. The programs appear to be random although lately they all seem to be Z5bf08.

I have also noticed a series of ".LGC" files in APPLOG and within the the IE PLUGINS folder there is a series of ddl files starting with npqtplugin.dll, then nq...2.dll through to ..7.dll. I assume because all seem to have happened on 21st Oct and these are dated same then this is relevent.

Can anyone advise as to how to get rid of this, can I just delete these files? I have tried using Spybot and ran a Norton AV scan (which is kept up to date) to no avail. Ideas please.

Cheers, Peter

[TomcaT]

It does sound like spyware....... get spybot and adware and also download Hi-jack this, run it and post your log up on here and will try and say which ones to delete.

[Schadenfroh]

take a look at my Spyware Removal Guide

i dont believe that npqtplugin.dll is malicious, but i will have to read up a little more

[FuneralofShadows]

ok, i have the same issue, umm, as for adware, it keeps freezing in the middle of a scan, so the logfile for that is out of the question, spybot, i scanned and deleted everything, but as for hijack this, this is my log file:

Logfile of HijackThis v1.98.2

Scan saved at 3:10:58 PM, on 11/13/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\TOOLS_95\IMGICON.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\TOOLS_95\IOWATCH.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOCUMENTS\DOCUMENTS\HIJACKTHIS.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zrlsqoforutytdxgbjlmc.us/cwCut0...TRbSndiuIi.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {8F59277D-8B7B-B43E-D41E-DB5E22D20BC0} - C:\WINDOWS\APPLICATION DATA\MAILDASH\HOLEINSIDE.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [MEAL SEND OKAY INTERNET] C:\WINDOWS\All Users\Application Data\boldstopmealsend\seek that.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKCU\..\Run: [find open] C:\WINDOWS\APPLIC~1\PLAYBO~1\Knob Admin.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE

O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE

O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

could you please tell me what to get rid of?

[gamehead200]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zrlsqoforutytdxgbjlmc.us/cwCut0...TRbSndiuIi.htm

O2 - BHO: (no name) - {8F59277D-8B7B-B43E-D41E-DB5E22D20BC0} - C:\WINDOWS\APPLICATION DATA\MAILDASH\HOLEINSIDE.EXE

O4 - HKLM\..\Run: [MEAL SEND OKAY INTERNET] C:\WINDOWS\All Users\Application Data\boldstopmealsend\seek that.exe

O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" (Yes, MessengerPlus3, full of adware/spyware)

O4 - HKCU\..\Run: [find open] C:\WINDOWS\APPLIC~1\PLAYBO~1\Knob Admin.exe

There might be more... Run Ad-Aware and Spybot S&D like crazy! Also, if you end some tasks and see that something else starts up after ending a program, I would suggest searching for it on your computer and deleting it... I've had that problem on several of my friends' computers and they were, in fact, adware or spyware!

Good luck!

[tguy]

You might also need:

XoftSpy

HiJackThis

Anti-Virus scanner

[DigeratiPrime]

i hate to sound trollish, but all I 'want' to say is "Firefox perhaps"?

[10forcash]

npqtplugin.dll is used by Opera... and others, it's a quicktime plugin extension

Cheers,

10forcash