money.cafreedom.com

[matt]

ok, i have the sygate personal firewall on my computer, i run firefox as my browser, but when ever i launch explorer to acesses my computer or my documents, the firwall pops up and says:

Windows Explorer (exploter.exe) is trying to connect to money.cafreedom.com [66.17.180.52] using remote port 80(HTTP - World Wide Web).  Do you want to allow this program to access the network?"

i always say no, but then ever i close out to my computer/mydocuments etc., explorere crashed.  it reloads fine and the computer still runs, just what is this? and how can i get ride of it?  i ran ad-aware but that found nothing.

[Raptor]

Scan for Spyware.

[matt]

i ran both ad-aware and spy-bot

[Raptor]

Reconfigure them to do extensive scans.

[matt]

i did for ad-aware, im not sure how for spy-bot

[Raptor]

Have you scanned for Viruses and Trojan Horses?

[matt]

yea, using AVG anti-virus, i'll run it agian now though, and how can i set spy-bot to deep scan

[matt]

the virus/trojan scan came up clean

[Raptor]

I have no experience with Spybot S&D

Do you have programs installed  that may be forcing your browser to connect to that adress?

Use HijackThis

[matt]

not to my knowledge, but i'll try highjack this

[matt]

here is my hijack this log:

O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell AIO Printer A920] "E:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: PeerGuardian (2).lnk = E:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - e:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll


it all seems fine to me, expect the first and third objects, i dont know what they are.

[Raptor]

The Toolbar & Radio is harmless, I believe. I've seen it before on my PC as well. Must come with Internet Explorer.

Entry number one does seem a bit dubious, no Google search results..

There's a tool  that seems to be recommended often. Give it a try: CWShredder

[matt]

i fooled around with CWShredder, but it didnt find anything.  any other ideas, this thing is really anoying.

[Raptor]

use different spyware/virus scanners. See if any of them picks up any threats the others do not.

[2k dummy]

Do you have any dealings or relationship to any of the following:

NRSoftware
Bane Media
xeex
Yipes

The url and IP address belongs NRSoftware. They are a rather nefarious outfit and are known to be spammers. They use hosting  companies to cover their tracks. You likely have a backdoor that they are trying to use. Use a dedicated trojan detection software and keylogger detection. By all means, keep it blocked in the firewall.