Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

spybot shutsdown before cleaning what it finds [RESOLVED]


  • This topic is locked This topic is locked

#16
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Visit Kaspersky and do an online scan.

Post back the scan report
  • 0

Advertisements


#17
shard92

shard92

    Member 1K

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,129 posts
Here is the report from Kapersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, August 25, 2005 15:10:15
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136999
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 39469
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 1992 sec

Infected Object Name - Virus Name
C:\Program Files\NetGuide\BHO\NetGuideBHO170.dll Infected: Trojan.Win32.Keenval.a
C:\Program Files\NetGuide\BHO\NG_Remover.exe/data0002/data0002 Infected: Trojan-Downloader.Win32.Small.alx
C:\Program Files\NetGuide\BHO\NG_Remover.exe/data0002 Infected: Trojan-Downloader.Win32.Small.alx
C:\Program Files\NetGuide\BHO\NG_Remover.exe Infected: Trojan-Downloader.Win32.Small.alx

Scan process completed.


I'm confused does this scan remove these or only report them?
  • 0

#18
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Do you know this Net Guide ????

If not then do the following -

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).


Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

NetGuide

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folder -

C:\Program Files\NetGuide

Reboot the PC in Normal Mode.

Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#19
shard92

shard92

    Member 1K

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,129 posts
Nope don't know netguide, and it wasn't listed in ad/remove which is usually a bad sign! I did find and delete it's directory though. Spysweeper did find and remove stuff. her is the log

********
10:57 AM: |··· Start of Session, Friday, August 26, 2005 ···|
10:57 AM: Spy Sweeper started
10:57 AM: Sweep initiated using definitions version 522
10:57 AM: Starting Memory Sweep
11:02 AM: Memory Sweep Complete, Elapsed Time: 00:05:10
11:02 AM: Starting Registry Sweep
11:02 AM: Found Adware: winad
11:02 AM: HKLM\software\adtools service\ (8 subtraces) (ID = 103252)
11:02 AM: Found Adware: adtools
11:02 AM: HKLM\software\adtools service\ (8 subtraces) (ID = 103252)
11:02 AM: Found Adware: apropos
11:02 AM: HKCR\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 103726)
11:02 AM: HKCR\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 103729)
11:02 AM: HKCR\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (5 subtraces) (ID = 103738)
11:02 AM: HKLM\software\classes\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 103764)
11:02 AM: HKLM\software\classes\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 103767)
11:02 AM: HKLM\software\classes\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (5 subtraces) (ID = 103774)
11:02 AM: Found Adware: ebates money maker
11:02 AM: HKU\S-1-5-21-2475787118-2243756110-418572186-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
11:02 AM: Found Adware: gain-supported software
11:02 AM: HKCR\interface\{a2ba5e71-5be3-4007-ac48-157823fb63fb}\ (8 subtraces) (ID = 126746)
11:02 AM: HKLM\software\classes\interface\{a2ba5e71-5be3-4007-ac48-157823fb63fb}\ (8 subtraces) (ID = 126755)
11:02 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/hdplugin1019.dll\ (2 subtraces) (ID = 126765)
11:02 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\hdplugin1019.dll (ID = 126786)
11:02 AM: Found Adware: grip toolbar
11:02 AM: HKCR\bho.netguidebho.1\ (3 subtraces) (ID = 126992)
11:02 AM: HKCR\bho.netguidebho\ (5 subtraces) (ID = 126993)
11:02 AM: HKCR\clsid\{08f46458-d00f-4573-8eb3-a9a9e15503f8}\ (11 subtraces) (ID = 126994)
11:02 AM: HKLM\software\classes\bho.netguidebho.1\ (3 subtraces) (ID = 126996)
11:02 AM: HKLM\software\classes\bho.netguidebho\ (5 subtraces) (ID = 126997)
11:02 AM: HKLM\software\classes\clsid\{08f46458-d00f-4573-8eb3-a9a9e15503f8}\ (11 subtraces) (ID = 126998)
11:02 AM: HKU\S-1-5-18\software\microsoft\internet explorer\menuext\grip.com\ (3 subtraces) (ID = 127002)
11:02 AM: HKLM\software\microsoft\windows\currentversion\uninstall\netguide\ (2 subtraces) (ID = 127010)
11:02 AM: HKLM\software\netguide\ (10 subtraces) (ID = 127011)
11:02 AM: HKLM\software\netguide\bho\redirecturls\ || 4 (ID = 127012)
11:02 AM: Found Adware: drsnsrch.com hijack
11:02 AM: HKU\S-1-5-21-2475787118-2243756110-418572186-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:02 AM: Found Adware: ietoolbar
11:02 AM: HKLM\software\mbkwbar\ (1 subtraces) (ID = 128249)
11:02 AM: HKLM\software\microsoft\windows\currentversion\uninstall\mbkwbar\ (ID = 128256)
11:02 AM: Found Adware: keenvalue/perfectnav
11:02 AM: HKU\S-1-5-21-2475787118-2243756110-418572186-1006\software\intermixmedia\ (2 subtraces) (ID = 129439)
11:02 AM: HKLM\software\microsoft\windows\currentversion\uninstall\cursorzone\ (3 subtraces) (ID = 129512)
11:02 AM: HKLM\software\perfectnav\ (1 subtraces) (ID = 129516)
11:02 AM: Found Adware: exact navisearch
11:02 AM: HKLM\system\currentcontrolset\services\zesoft\ (13 subtraces) (ID = 135586)
11:02 AM: Found Adware: 180search assistant/zango
11:02 AM: HKU\.default\software\msbb\ (12 subtraces) (ID = 135592)
11:02 AM: HKLM\software\microsoft\windows\currentversion\uninstall\salm\ (3 subtraces) (ID = 135779)
11:02 AM: HKU\S-1-5-21-2475787118-2243756110-418572186-1006\software\msbb\ (21 subtraces) (ID = 135781)
11:02 AM: HKU\S-1-5-18\software\msbb\ (12 subtraces) (ID = 135781)
11:02 AM: HKLM\software\msbb\ (13 subtraces) (ID = 135782)
11:02 AM: HKU\S-1-5-21-2475787118-2243756110-418572186-1006\software\salm\ (15 subtraces) (ID = 135792)
11:02 AM: HKU\S-1-5-18\software\salm\ (16 subtraces) (ID = 135792)
11:02 AM: HKLM\software\salm\ (12 subtraces) (ID = 135793)
11:02 AM: Found Adware: searchrelevancy
11:02 AM: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141290)
11:02 AM: HKCR\searchrelevant\ (3 subtraces) (ID = 141291)
11:02 AM: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141293)
11:02 AM: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141295)
11:02 AM: HKLM\software\classes\searchrelevant\ (3 subtraces) (ID = 141296)
11:02 AM: HKLM\software\classes\updater.bho\ (5 subtraces) (ID = 141297)
11:02 AM: HKLM\software\searchrelevancy\ (3 subtraces) (ID = 141300)
11:02 AM: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141302)
11:02 AM: HKCR\updater.bho\ (5 subtraces) (ID = 141303)
11:02 AM: Found Adware: ist sidefind
11:02 AM: HKU\S-1-5-21-2475787118-2243756110-418572186-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2475787118-2243756110-418572186-500\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
11:03 AM: Found Adware: targetsaver
11:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)
11:03 AM: Found Adware: targetsoft
11:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
11:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
11:03 AM: HKLM\software\tsa\ (3 subtraces) (ID = 143615)
11:03 AM: HKU\S-1-5-18\software\tsl2\ (1 subtraces) (ID = 143616)
11:03 AM: Found Adware: abetterinternet
11:03 AM: HKLM\software\sdf7sdfgs324\ (ID = 146129)
11:03 AM: HKLM\software\microsoft\windows\currentversion\uninstall\windows adtools\ (2 subtraces) (ID = 147235)
11:03 AM: HKLM\software\windows adstatus\ (8 subtraces) (ID = 147240)
11:03 AM: HKLM\software\windows adtools\ (ID = 147241)
11:03 AM: Found Adware: exact cashback/bargain buddy
11:03 AM: HKLM\software\exactutil\ || installoccururl (ID = 595796)
11:03 AM: HKLM\software\exactutil\ || alreadyinstalledurl (ID = 595797)
11:03 AM: Found Adware: interads
11:03 AM: HKLM\software\interads\ (34857 subtraces) (ID = 645794)
11:03 AM: Registry Sweep Complete, Elapsed Time:00:00:34
11:03 AM: Starting Cookie Sweep
11:03 AM: Found Spy Cookie: bluestreak cookie
11:03 AM: shannon coulson@bluestreak[1].txt (ID = 2314)
11:03 AM: Found Spy Cookie: com.com cookie
11:03 AM: shannon coulson@com[2].txt (ID = 2445)
11:03 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:03 AM: Starting File Sweep
11:03 AM: Found Adware: blazefind
11:03 AM: c:\program files\windows controlad (1 subtraces) (ID = -2147481365)
11:03 AM: c:\windows\fleok (ID = -2147480557)
11:03 AM: c:\program files\perfectnav (1 subtraces) (ID = -2147480782)
11:03 AM: c:\program files\grip (3 subtraces) (ID = -2147480905)
11:03 AM: Found Adware: blazefind_adman
11:03 AM: c:\program files\admanager controller (ID = -2147481361)
11:03 AM: c:\program files\searchrelevant (1 subtraces) (ID = -2147480349)
11:03 AM: c:\program files\windows adtools (ID = -2147480015)
11:03 AM: Found Adware: win comm
11:03 AM: c:\program files\win comm (ID = -2147480033)
11:04 AM: exec.exe (ID = 50118)
11:04 AM: netguidebho170.dll (ID = 61955)
11:04 AM: mbkwbar.exe (ID = 63427)
11:04 AM: ietoolbar.dll (ID = 63423)
11:04 AM: info.txt (ID = 90366)
11:05 AM: mbkwnst.exe (ID = 63431)
11:05 AM: adtoolskeep.exe (ID = 49368)
11:05 AM: vocabulary (ID = 78283)
11:05 AM: class-barrel (ID = 78229)
11:05 AM: Warning: Failed to read file "c:\documents and settings\shannon coulson\local settings\temp\~df6155.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:05 AM: dc132.dat (ID = 70595)
11:05 AM: Found Adware: twain-tech
11:05 AM: polmx.inf (ID = 81856)
11:05 AM: Found Adware: shopathomeselect
11:05 AM: bln02nqv.vni (ID = 75683)
11:05 AM: 70tovmto.vni (ID = 75621)
11:05 AM: mbkwnst.inf (ID = 63433)
11:05 AM: File Sweep Complete, Elapsed Time: 00:02:20
11:05 AM: Full Sweep has completed. Elapsed time 00:08:14
11:05 AM: Traces Found: 35262
11:22 AM: Removal process initiated
11:22 AM: Quarantining All Traces: winad
11:22 AM: Quarantining All Traces: adtools
11:22 AM: Quarantining All Traces: apropos
11:22 AM: Quarantining All Traces: ebates money maker
11:22 AM: Quarantining All Traces: gain-supported software
11:22 AM: Quarantining All Traces: grip toolbar
11:22 AM: Quarantining All Traces: drsnsrch.com hijack
11:22 AM: Quarantining All Traces: ietoolbar
11:22 AM: Quarantining All Traces: keenvalue/perfectnav
11:22 AM: Quarantining All Traces: exact navisearch
11:22 AM: Quarantining All Traces: 180search assistant/zango
11:22 AM: Quarantining All Traces: searchrelevancy
11:22 AM: Quarantining All Traces: ist sidefind
11:22 AM: Quarantining All Traces: targetsaver
11:22 AM: Quarantining All Traces: targetsoft
11:22 AM: Quarantining All Traces: abetterinternet
11:22 AM: Quarantining All Traces: exact cashback/bargain buddy
11:22 AM: Quarantining All Traces: interads
11:23 AM: Quarantining All Traces: bluestreak cookie
11:23 AM: Quarantining All Traces: com.com cookie
11:23 AM: Quarantining All Traces: blazefind
11:23 AM: Quarantining All Traces: blazefind_adman
11:23 AM: Quarantining All Traces: win comm
11:23 AM: Quarantining All Traces: twain-tech
11:23 AM: Quarantining All Traces: shopathomeselect
11:23 AM: Removal process completed. Elapsed time 00:01:08
********
10:55 AM: |··· Start of Session, Friday, August 26, 2005 ···|
10:55 AM: Spy Sweeper started
10:57 AM: |··· End of Session, Friday, August 26, 2005 ···|


maybe I should try spybot again?!?
  • 0

#20
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Sure, Run Spybot and if possible post its log here
  • 0

#21
shard92

shard92

    Member 1K

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,129 posts
Well spybot at least let me save a log this time. it also isn't detecting quite so many any more but it still just dumps to desktop when you tell it to fix the 17 things it finds...


--- Search result list ---
eXact Advertising.BargainsBuddy: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ZESOFT

HotsearchBar: Data (File, nothing done)
C:\WINDOWS\system32\kdlmjh8r.dat

ISearchTech.PowerScan: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\BandRest

Exact Advertising.BargainsBuddy: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil

MyWay.MyBar: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\MyWay

ShopAtHome: Data (File, nothing done)
C:\WINDOWS\system32\tm97pj39.dat

ShopAtHome: Data (File, nothing done)
C:\WINDOWS\system32\p1fumi62.dat

WildTangent: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2475787118-2243756110-418572186-1006\Software\WildTangent

WildTangent: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{3A7FE611-1994-4ef1-A09F-99456752289D}

WildTangent: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1DE680D4-84B7-4239-A887-9482A29DBE14}

WildTangent: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{25F53F41-0C37-40FA-AE9F-A260DB2D64CF}

WildTangent: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{4A165BD0-165F-474F-AF66-40CD5AC4613E}

WildTangent: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wtControlPanel

WildTangent: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\WildTangent.ActiveLauncher

WildTangent: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\WildTangent.ActiveLauncher.1

WildTangent: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3A7FE611-1994-4ef1-A09F-99456752289D}

WildTangent: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent CDA




Part of Spybot log edited out

Edited by tampabelle, 26 August 2005 - 11:37 AM.

  • 0

#22
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Copy the part in bold below into notepad and save it as fix.reg
Save as type:All files (The first line in the file should be REGEDIT4)


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ZESOFT]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\BandRest]

[-HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MyWay]

[-HKEY_USERS\S-1-5-21-2475787118-2243756110-418572186-1006\Software\WildTangent]

[-HKEY_CLASSES_ROOT\CLSID\{3A7FE611-1994-4ef1-A09F-99456752289D}]

[-HKEY_CLASSES_ROOT\Interface\{1DE680D4-84B7-4239-A887-9482A29DBE14}]

[-HKEY_CLASSES_ROOT\Interface\{25F53F41-0C37-40FA-AE9F-A260DB2D64CF}]

[-HKEY_CLASSES_ROOT\TypeLib\{4A165BD0-165F-474F-AF66-40CD5AC4613E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wtControlPanel]

[-HKEY_LOCAL_MACHINE\Software\Classes\WildTangent.ActiveLauncher]

[-HKEY_LOCAL_MACHINE\Software\Classes\WildTangent.ActiveLauncher.1]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3A7FE611-1994-4ef1-A09F-99456752289D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent CDA]


Doubleclick the file and confirm you want to merge it with the registry.


Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\WINDOWS\system32\kdlmjh8r.dat
C:\WINDOWS\system32\tm97pj39.dat
C:\WINDOWS\system32\p1fumi62.dat


If you have problems in deleting the files, then reboot the PC in Safe Mode and then delete the files.
  • 0

#23
shard92

shard92

    Member 1K

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,129 posts
thank you kindly..... i ran spybot again and it came up with two and fixed both. In other words it seems like we got it all. And people around here think I'm good with this stuff!!!! thanks again.
  • 0

#24
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
How is your PC behaving now ???? Any issues with it ???
  • 0

#25
shard92

shard92

    Member 1K

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,129 posts
seems to be running fine
pop ups gone, connecting running fine on internet, etc..... This isn't my laptop however it's a friends who was getting ready to leave for college ( one reason I wanted to be as thorough as possible ) so I'm sure she will be greatful as well.... thanks again...
  • 0

Advertisements


#26
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please visit Windows security and critical updates and install all updates / patches it finds.

It may take a little bit of time to get all the updates since you havent done updates in a long time !!! Be patient.

After all the updates are installed, you will need to reboot the PC.

Post back a fresh HJT log after rebooting.
  • 0

#27
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP