Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Plagued by IEngine&Hotoffer.info [resolved]


  • This topic is locked This topic is locked

#1
Drewski

Drewski

    Member

  • Member
  • PipPip
  • 15 posts
;) I opened an odd email without thinking. Soon after I Internet Explorer went berserk and was opening a nasty website about every five minutes. Hotoffer.info has taken over my default webpage and will not be removed. ;) Also the following error pops up often:

Error #317 – Microsoft Windows Security Warning X

X Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect your system.
Private info is accessed by ports:

-8080
-3128

You can patch your PC for free now and delete all spyware viruses.

Click OK to chose and download free spyware removal using AntiSPY


OK Cancel

I have downloaded and run all the programs as instructed before this post. They did get rid of a lot of stuff but the plague persists. :tazz: Here is my log. Please help me heal my sick computer! :)

Logfile of HijackThis v1.97.7
Scan saved at 11:31:29 AM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\netdc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Office Tracker\alarmer.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\winupdate14983478[1].exe
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\winupdate30543618[1].exe
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\winupdate34369672[1].exe
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\winupdate63498341[1].exe
C:\Documents and Settings\Andrew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\BestBuy\HelpExpress\Client\HELPEXP.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: netdb.exe
O4 - Startup: winupdate14983478[1].exe
O4 - Startup: winupdate30543618[1].exe
O4 - Startup: winupdate34369672[1].exe
O4 - Startup: winupdate49698123[1].exe
O4 - Startup: winupdate63498341[1].exe
O4 - Startup: winupdate74365674[1].exe
O4 - Startup: winupdate76341896[1].exe
O4 - Startup: winupdate98523694[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Tracker Alarmer.lnk = ?
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Microsoft AntiSpyware helper (HKLM)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKLM)
O9 - Extra button: Microsoft AntiSpyware helper (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1111279364984
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupd...8012.7933449074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Drewski to Geeks to Go!

Please download the latest version of HijackThis:
HijackThis 1.99.1. Unzip it to a folder of it's own. We will use it later.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

***

Download CleanUp!.
Don't run the program, we'll do that later.

***

Open HijackThis version 1.99.1

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):

netdc.exe

netdb.exe


winupdate14983478[1].exe

winupdate30543618[1].exe

winupdate34369672[1].exe

winupdate63498341[1].exe

winupdate49698123[1].exe

winupdate74365674[1].exe

winupdate76341896[1].exe

winupdate98523694[1].exe


Close HijackThis.

***

Please do an online scan, 2 would be better. Trend Micro should be able to fix this one.

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Post a log using the lastest version of HijackThis. Let me know what Housecall did.
  • 0

#3
Drewski

Drewski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for responding. Here are the results.

Trend Micro Housecall removed:

TROJ_SMALL.LV

and would not remove:

TROJ_DLOADER.EL

Panda Active Scan did the following:

Incident Status Location

Virus:Trj/Downloader.BCK Disinfected Operating system
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access
Adware:Adware/ExactSearch No disinfected Windows Registry
Virus:Trj/Trexe.A Disinfected Operating system
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Virus:Bck/Xundoor.A Disinfected C:\WINDOWS\SYSTEM32\mshelp32.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\ntolesvc32.ex_
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\SYSTEM32\O
Virus:Trj/Downloader.BCK Disinfected C:\WINDOWS\SYSTEM32\thun32.dll
Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:57:14 AM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Tracker Alarmer.lnk = ?
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {08A364ED-379F-4F3C-8AF3-B8C554DF1719} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {08A364ED-379F-4F3C-8AF3-B8C554DF1719} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1DD5BDFC-7E5B-4ABD-9E9D-8D23751F1CD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1DD5BDFC-7E5B-4ABD-9E9D-8D23751F1CD8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A0BDF048-4E4B-4728-8F1D-63FB0F229AE2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A0BDF048-4E4B-4728-8F1D-63FB0F229AE2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ED836A59-C09B-4C51-8AEA-F00FAA066C42} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED836A59-C09B-4C51-8AEA-F00FAA066C42} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FB769037-CD13-4FD7-8732-9F7A6AA5A9A6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FB769037-CD13-4FD7-8732-9F7A6AA5A9A6} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O21 - SSODL: NTDBGTOOL - {AC52746D-F275-4AE3-918F-FAC52583B700} - C:\WINDOWS\System32\prond3d9.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Thank you for your help so far! :tazz:
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thank you for your feedback. Let's go get them.

I recommend you print this advice. In safe mode you will not have this page available.

***

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

***

Download CleanUp!.
Don't run the program, we'll do that later.


***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

***

Open HijackThis from within it's own folder.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
[unless you're running nero[/i]

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
"Spyware remover" of dubious repute, see this page for more info

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab

O21 - SSODL: NTDBGTOOL - {AC52746D-F275-4AE3-918F-FAC52583B700} - C:\WINDOWS\System32\prond3d9.dll

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:* Temp
* All users.
Press 'cleanup!'

Once it's done, decline to log off. We'll reboot later.

***

Delete the following files:

C:\WINDOWS\System32\NeroCheck.exe
[i]unless you're running Nero


C:\WINDOWS\System32\prond3d9.dll

C:\WINDOWS\SYSTEM32\ntolesvc32.ex_

C:\WINDOWS\SYSTEM32\O

Check if any of these are present:
C:\M.EXE or C:\Y.EXE


Delete the following folders:

C:\Program Files\Media Access\

C:\Program Files\Security iGuard\

***

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

***

Let's run Panda online virusscan again to see if we got them all.

***

Post a fresh HijackThis log to check and let me know what Panda said...

Edited by g2i2r4, 28 March 2005 - 01:54 PM.

  • 0

#5
Drewski

Drewski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
So far so good. Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 5:12:23 PM, on 3/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Tracker Alarmer.lnk = ?
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {08A364ED-379F-4F3C-8AF3-B8C554DF1719} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {08A364ED-379F-4F3C-8AF3-B8C554DF1719} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1DD5BDFC-7E5B-4ABD-9E9D-8D23751F1CD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1DD5BDFC-7E5B-4ABD-9E9D-8D23751F1CD8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A0BDF048-4E4B-4728-8F1D-63FB0F229AE2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A0BDF048-4E4B-4728-8F1D-63FB0F229AE2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ED836A59-C09B-4C51-8AEA-F00FAA066C42} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED836A59-C09B-4C51-8AEA-F00FAA066C42} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FB769037-CD13-4FD7-8732-9F7A6AA5A9A6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FB769037-CD13-4FD7-8732-9F7A6AA5A9A6} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Panda Results:


Incident Status Location

Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/WinAD No disinfected C:\HijackThis\backups\backup-20050331-103503-456.dll
Virus:Trj/Downloader.BKV Disinfected C:\RECYCLER\S-1-5-21-4097411637-3242847100-1723214923-1006\Dc10.ex_
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\S-1-5-21-4097411637-3242847100-1723214923-1006\Dc11
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-4097411637-3242847100-1723214923-1006\Dc12\MediaAccess.exe
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Thanks!
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Well, your log looks clean.

As for the Panda findings.

Adware:Adware/ExactSearch No disinfected Windows Registry
This is not a virus or a Trojan. It is a direct-marketing adware application.
It creates a folder c:\program files\exact. It looks like Panda tried to remove items from the Registry. Are you using Exact software? If you want to keeps using it, be aware of it. If you want to stop using it, remove it using software panel.

Adware:Adware/WinAD No disinfected C:\HijackThis\backups\backup-20050331-103503-456.dll
This is found in the backups from HijackThis. We already removed the items. We can clean the backups from within the program.
Open HijackThis.
Go to config - backups and press 'delete all'.

Virus:Trj/Downloader.BKV Disinfected C:\RECYCLER\S-1-5-21-4097411637-3242847100-1723214923-1006\Dc10.ex_
Adware:Adware/StatBlaster No disinfected C:\RECYCLER\S-1-5-21-4097411637-3242847100-1723214923-1006\Dc11
Adware:Adware/WUpd No disinfected
C:\RECYCLER\S-1-5-21-4097411637-3242847100-1723214923-1006\Dc12\MediaAccess.exe

These three are found in your recycle bin. You can empty the bin.

That leaves only this one:
Adware:Adware/WinAD No disinfected

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot.
Paste this:
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say Yes.

Let the system reboot.

If you like, you can retry scanning. Let's see what it says.
  • 0

#7
Drewski

Drewski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you so much for your help! :tazz:

I am not using Exact software. How exactly do I remove this? It is not on the list of add/remove programs.

Here are the new results from panda and HijackThis log.


Incident Status Location

Adware:Adware/ExactSearch No disinfected Windows Registry

ogfile of HijackThis v1.99.1
Scan saved at 5:12:15 PM, on 4/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Tracker Alarmer.lnk = ?
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {08A364ED-379F-4F3C-8AF3-B8C554DF1719} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {08A364ED-379F-4F3C-8AF3-B8C554DF1719} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1DD5BDFC-7E5B-4ABD-9E9D-8D23751F1CD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1DD5BDFC-7E5B-4ABD-9E9D-8D23751F1CD8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A0BDF048-4E4B-4728-8F1D-63FB0F229AE2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A0BDF048-4E4B-4728-8F1D-63FB0F229AE2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ED836A59-C09B-4C51-8AEA-F00FAA066C42} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED836A59-C09B-4C51-8AEA-F00FAA066C42} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FB769037-CD13-4FD7-8732-9F7A6AA5A9A6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FB769037-CD13-4FD7-8732-9F7A6AA5A9A6} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Thank you again. I am going to make a donation!

Drewski ;)
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Your log looks great.

See if you can find this folder:
c:\program files\exact

See if there's a uninstaller in there.

***

If not:
Download and install Registrar Lite.

Let's go search the Registry for EXACT
Please be very carefull what you do. A corrupt Registry is a broken down machine.

Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.

Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.

Press the magnifying glass
In the box 'text to search for' type
AXACT
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and close the bookmarks window.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.

I don't have to see a new log using HijackThis.
  • 0

#9
Drewski

Drewski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I want to be sure not to make a mistake. Don't you mean to type in "EXACT" AND not "axact". This is what you had wrote:

"Press the magnifying glass
In the box 'text to search for' type
AXACT
press 'enter'. The program will search the Registry looking for items."

Please confirm which one.

Thanks,

Drew :tazz:
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Sorry, typo.

I mean EXACT, good on you!
  • 0

Advertisements


#11
Drewski

Drewski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok here is are the findings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase\\Exact
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com

Thanks!
  • 0

#12
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘exactrem.reg’ to your desktop.
Choose ‘save as all types *.*’
REGEDIT 4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase\\Exact]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]

Doubleclick the file exactrem.reg
Give permission when asked for it, to let it merge to your registry.

Reboot your computer.

Use registrar lite to do a new search for EXACT. It’s should be gone now.
  • 0

#13
Drewski

Drewski

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
It didn't seem to work. I have four more lines. Here is what shows up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase\\Exact
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\\c
HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg\\a
HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\\ProgramsCache
HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com
HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\Shell\Bags\1\Desktop\\ItemPos1024x768(1)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com

Notepad did not give me the option of 'save as type: *.*' So I did 'save as type: all files' I followed your other directions with no problems. Did I do something wrong?
  • 0

#14
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
arghh, Antispyware must be getting in the way.

I'll make a new one. Create it and go to safe mode. Disable Antispyware and do the new .reg file again. You did have a icone looking like bricks didn't you?
  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
REGEDIT 4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Xbase\\Exact]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009\\Help]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\\c]
[-HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\reg\\a]
[-HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\\ProgramsCache]
[-HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]
[-HKEY_USERS\S-1-5-21-4097411637-3242847100-1723214923-1006\Software\Microsoft\Windows\Shell\Bags\1\Desktop\\ItemPos1024x768(1)]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\exactsearchbar.com]

safe it as remove.reg
on your desktop
type: all files

It should created a an icone that looks like a bunch of bricks.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP