Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

search2web spyware [RESOLVED]

Started by beccyboo_18 , Aug 07 2005 09:45 AM

  • This topic is locked This topic is locked

#1
beccyboo_18
Posted 07 August 2005 - 09:45 AM

beccyboo_18

    Member

  • Member
  • PipPip
  • 13 posts
hey i realised that when installing msnplus spyware has come thro with it and now i cant get it off my computer. i have searched the internet and have found that by aquiring hijack this and posting a msg that it is easier and safer to get knowledge of how to get rid of this. i have had problems with it as in, it has installed its own searchbar on the top of all my internet pages, popup ads keeping jumping up at me, it keeps changing my homepage and occasionally closing the internet page i have open. i have uninstalled msnplus, firstly i removed the sponsers and that didnt help so i completly removed it. i wasnt sure what else to do so thats when i can to this site. i have downloaded and run hijackthis and this is what it showed:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:44 PM, on 7/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cswwoypup...hZvuEE6B9U.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {5E813310-699C-98AE-B73C-1974A9D4463D} - C:\DOCUME~1\Gail\APPLIC~1\JUMPSH~1\more cast.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\System32\cvkq.exe
O4 - HKLM\..\Run: [Grid Size Fast Soft] C:\Documents and Settings\All Users\Application Data\site send grid size\log exit.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D0764C9-12EC-44EB-AE4E-2CF2B0057EF2}: NameServer = 203.49.70.20 139.134.2.190
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

im not sure what else to do so PLEASE HELP!!!!!! will be waiting for a reply......
:tazz:
  • 0

Advertisements

#2
bricat
Posted 08 August 2005 - 08:53 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:

Rerun HJT,and put a checkmark beside these :-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cswwoypup...hZvuEE6B9U.html
O2 - BHO: (no name) - {5E813310-699C-98AE-B73C-1974A9D4463D} - C:\DOCUME~1\Gail\APPLIC~1\JUMPSH~1\more cast.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\System32\cvkq.exe
O4 - HKLM\..\Run: [Grid Size Fast Soft] C:\Documents and Settings\All Users\Application Data\site send grid size\log exit.exe

now close all windows and browsers and click FIX CHECKED


download and run this LOP UNINSTALLER


then reboot and post a fresh Hijackthis log.
  • 0

#3
beccyboo_18
Posted 11 August 2005 - 04:14 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
:) :tazz: It all looks good so far. No SearchBar, no redirecting of homepage, no stupid popups!!! THANKYOU So much that is the most annoying spyware ever!! i have posted my hijackthis list and if you could check over it and hopefully give me the okay that would be great!! is there any way you no of to get msnplus without that spyware???

Logfile of HijackThis v1.99.1
Scan saved at 6:06:19 PM, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {0542C6B6-F442-9CF6-E105-02926D01DEF1} - C:\DOCUME~1\Beckles\APPLIC~1\JUMPSH~1\more cast.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Book Dart] C:\DOCUME~1\Beckles\APPLIC~1\BALMTI~1\Save License Inside.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[FONT=Geneva]

Thanks again[FONT=Opti[FONT=Geneva]ma][COLOR=green][B] ;)
  • 0

#4
bricat
Posted 11 August 2005 - 04:50 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
can you please go back to a standard font on your notepad, that is impossible to read, 1 letter can be the difference between a virus and a legitimate file. :tazz:
  • 0

#5
beccyboo_18
Posted 11 August 2005 - 05:04 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It all looks good so far. No SearchBar, no redirecting of homepage, no stupid popups!!! THANKYOU So much that is the most annoying spyware ever!! i have posted my hijackthis list and if you could check over it and hopefully give me the okay that would be great!! is there any way you no of to get msnplus without that spyware???

Logfile of HijackThis v1.99.1
Scan saved at 6:06:19 PM, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {0542C6B6-F442-9CF6-E105-02926D01DEF1} - C:\DOCUME~1\Beckles\APPLIC~1\JUMPSH~1\more cast.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Book Dart] C:\DOCUME~1\Beckles\APPLIC~1\BALMTI~1\Save License Inside.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks again
  • 0

#6
bricat
Posted 11 August 2005 - 05:16 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Rerun HJT,and put a checkmark beside these :-


O2 - BHO: (no name) - {0542C6B6-F442-9CF6-E105-02926D01DEF1} - C:\DOCUME~1\Beckles\APPLIC~1\JUMPSH~1\more cast.exe
O4 - HKCU\..\Run: [Book Dart] C:\DOCUME~1\Beckles\APPLIC~1\BALMTI~1\Save License Inside.exe

now close all windows and browsers and click FIX CHECKED


then reboot and post a fresh Hijackthis log. to check they have gone.

download messengerplus again and when you get to the Sponsor Agreement select the option which reads,’I Refuse,
do not install the sponsor program’.
  • 0

#7
beccyboo_18
Posted 11 August 2005 - 08:07 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok did the hijackthis again and fix checked the ones you said this is my log now:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:34 PM, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sbseinptq...dhZvuEE6B9U.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ljpskpncm...KFgXnxB_K2c.htm
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sixth load logo frag] C:\Documents and Settings\All Users\Application Data\Meal Warn Sixth Load\manager tons.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D0764C9-12EC-44EB-AE4E-2CF2B0057EF2}: NameServer = 203.49.70.20 139.134.2.190
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

plus the searchbar is back and the icons on desktop and the popup adds!!
  • 0

#8
bricat
Posted 11 August 2005 - 08:22 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Please download and run this LOP UNINSTALLER again.

the REBOOT and post a fresh HJT log.
  • 0

#9
beccyboo_18
Posted 11 August 2005 - 08:38 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok i did all of that and this is my log

Logfile of HijackThis v1.99.1
Scan saved at 10:35:31 PM, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Book Dart] C:\DOCUME~1\Beckles\APPLIC~1\BALMTI~1\Save License Inside.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
bricat
Posted 11 August 2005 - 09:05 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Just the 1 that doesn't want to be removed.

Boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\DOCUMENTS AND SETTINGS\Beckles\APPLICATION DATA\BALMTI<----folder starting with these 6 letters.


then reboot and post a fresh Hijackthis log.
  • 0

Advertisements

#11
beccyboo_18
Posted 13 August 2005 - 01:24 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok did all that and it still has the searchbar across the top. i run that lopremover again and the searchbars still there. this is my log.

Logfile of HijackThis v1.99.1
Scan saved at 3:22:55 PM, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {0542C6B6-F442-9CF6-E105-02926D01DEF1} - C:\DOCUME~1\Gail\APPLIC~1\JUMPSH~1\more cast.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Book Dart] C:\DOCUME~1\Beckles\APPLIC~1\BALMTI~1\Save License Inside.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D0764C9-12EC-44EB-AE4E-2CF2B0057EF2}: NameServer = 203.49.70.20 139.134.2.190
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
bricat
Posted 13 August 2005 - 03:40 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Try this

right click on the search bar and select HELP. then select DISABLE. follow the prompts and if it asks you to insert a code, do so.

see if the search bar disappears.
  • 0

#13
beccyboo_18
Posted 13 August 2005 - 03:43 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
yeah it got rid of it but im still getting popups so have i still got the virus or has it gone?
  • 0

#14
bricat
Posted 13 August 2005 - 05:06 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Please download the trial version of Ewido Security Suite from
here. Install it and
update the program with the latest definitions. Setup the program
following the instructions here and then close it without running a scan.

Reboot into Safe Mode

Then please run Ewido security suite, and perform a full system scan.
Remove anything found,

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

* Click Save report
* Save the report to your desktop.


then reboot normally, and post a new HJT log, and the scan log from Ewido.
  • 0

#15
beccyboo_18
Posted 13 August 2005 - 11:38 AM

beccyboo_18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok so i did all that but the first time i did the scan i forgot to put it in safe mode and didnt realise until it was nearly finished. this is the report from that one:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:01:05 PM, 13/08/2005
+ Report-Checksum: 55E874FC

+ Scan result:

[1936] C:\DOCUME~1\Gail\APPLIC~1\JUMPSH~1\more cast.exe -> TrojanDownloader.Swizzor.bo : Cleaned with backup
[2376] C:\DOCUME~1\Gail\APPLIC~1\JUMPSH~1\more cast.exe -> TrojanDownloader.Swizzor.bo : Error during cleaning
C:\Documents and Settings\Beckles\Cookies\beckles@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@lop[2].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\beckles@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Beckles\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@lop[2].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\breedle@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Breedle\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@lop[1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\gail@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Gail\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{5E8484D4-FE21-4B43-8C76-A4C41B91A096}\RP38\A0003949.exe -> Spyware.Lop : Cleaned with backup
C:\System Volume Information\_restore{5E8484D4-FE21-4B43-8C76-A4C41B91A096}\RP87\A0022719.exe -> Spyware.Lop : Cleaned with backup
C:\System Volume Information\_restore{5E8484D4-FE21-4B43-8C76-A4C41B91A096}\RP90\A0023500.exe -> Spyware.Lop : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

then i put it in safe mode and did another scan. this is the report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:27:42 AM, 14/08/2005
+ Report-Checksum: F5E491D1

+ Scan result:

C:\Documents and Settings\Beckles\Cookies\beckles@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup


::Report End

then i did a hijack this and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:33:25 AM, on 14/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {0542C6B6-F442-9CF6-E105-02926D01DEF1} - C:\DOCUME~1\Gail\APPLIC~1\JUMPSH~1\more cast.exe (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Book Dart] C:\DOCUME~1\Beckles\APPLIC~1\BALMTI~1\Save License Inside.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6au.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

hope that helps and i didnt stuff it up by doing it in normal mode first instead of safe mode.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP