Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/malware removal help


  • Please log in to reply
7 replies to this topic

#1 monsoon

monsoon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 31 August 2005 - 12:07 PM

I'm trying to help a co-worker rid her home computer of what looks like a whole bunch of bad stuff. She has Win XP home and used IE6 to surf. The browser won't display any pages at all. She does have a connection to the internet, I can ping her DNS server. I ran adaware and with the VX2 plugin. The VX2 scan cam back clean. I ran microsoft beta spyware whatever thay call it (what used to be Giant) and it shows 37 different bad things including BargainBuddy. Here is the Hijackthis log:

(moderator edit: split off reply and moved post to the team forum for review and help. jgweed)

Logfile of HijackThis v1.99.1
Scan saved at 6:12:19 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A20E5862-B187-9C26-A921-BDC9D8C268E9} - C:\WINDOWS\System32\vryfrvo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thanks!

Edited by jgweed, 31 August 2005 - 03:27 PM.


BC AdBot (Login to Remove)

 


m

#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:34 AM

Posted 03 September 2005 - 10:35 AM

Welcome monsoon to Bleeping Computer.

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\IEXPLOR.EXE
C:\WINDOWS\System32\abasa5jrp.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

O2 - BHO: (no name) - {A20E5862-B187-9C26-A921-BDC9D8C268E9} - C:\WINDOWS\System32\vryfrvo.dll

O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe

O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE

O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Reboot into normal mode. Reply back to this topic using the button 'add reply'. Post the log from Ewido as well as a fresh HijackThislog.


Posted Image
Life is what happens while you're making other plans

#3 monsoon

monsoon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 September 2005 - 05:46 PM

Thanks for the reply g2i2r4...

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:00:24 PM, on 9/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

And here is the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:59:20 PM, 9/7/2005
+ Report-Checksum: A5738D39

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{018C5406-AEE6-4A68-980F-2CEB1E9416FB} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0A7FC040-F84A-4AD7-9439-798B6C0F861E} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaPass.Installer -> Spyware.WinAd : Error during cleaning
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67} -> Spyware.DesktopTraffic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Danny\Cookies\danny@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Danny\Cookies\danny@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Danny\Cookies\danny@clickagents[2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Danny\Cookies\danny@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Danny\Cookies\danny@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Danny\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\thin-94-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Home\Local Settings\Temp\-1.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\thin-94-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Hijackthis\backups\backup-20050830-174556-675.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Media Pass\MediaPassC.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\02D37915-B261-4888-B3CB-4E2AF8\92657837-AA18-4597-A0A8-AEE0E3 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\26E0B64F-6C6F-476E-B8B1-1F3F70\3D7A96E5-2766-440E-B62A-5AACCE -> Spyware.Beginto : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B1D97D9F-C487-486D-A8D4-BDB3AE\403B0EC5-4AAB-4E76-8B5B-467D63 -> Spyware.MyWay : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B9EF7368-8AC7-4065-93F8-4085B5\B1B0D8B7-0112-4C1F-9803-DD86B8 -> TrojanDropper.Small.mr : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\BA9A77FE-90A2-4B39-8AC5-7F9DDD\89C14B95-FD55-45CB-8CA1-A5C049 -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DBADFA04-452C-4F0C-865A-D46900\DCD9E0D4-8D18-4BD8-A51A-9DB2E2 -> Spyware.DlMax : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\Program Files\nwpkh9fn\14129131.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\themesunlimited\tswaterwall-94495.zip\NNEZTA388.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\themesunlimited\tswaterwall-94495.zip\TBEZA127Q.exe -> Spyware.Quick : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0045835.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046874.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046888.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046888.ax/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046888.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046888.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0046889.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0047868.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0048867.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0049867.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0050865.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0052869.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0054867.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056878.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056878.ax/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056878.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056878.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP125\A0056879.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057931.exe -> TrojanDropper.Small.ff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057939.exe -> Spyware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057942.dll -> Spyware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057952.exe -> Spyware.TotalVelocity : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057954.dll -> Spyware.TotalVelocity : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057963.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057976.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057977.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057990.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057991.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057995.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0057997.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058009.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058010.dll -> Spyware.ImiBar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058016.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058022.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058023.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058024.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP126\A0058039.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0060116.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0060130.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP127\A0060132.exe -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0061528.exe -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0061548.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0061550.exe -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0061638.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0062673.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0062674.exe -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0062675.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP136\A0075768.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP136\A0075771.cpl -> TrojanDropper.Small.wc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP137\A0078017.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP137\A0078018.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP137\A0078019.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP137\A0078021.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP137\A0078044.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP137\A0078084.exe -> TrojanDownloader.Small.aly : Cleaned with backup
C:\WINDOWS\extract.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\iGator\Trickler3103_PIC_fs_DMPT.exe -> Adware.Gator : Cleaned with backup
C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\SYSTEM\kavoqg.exe -> TrojanDownloader.Small.aly : Cleaned with backup
C:\WINDOWS\SYSTEM32\Cache\pop.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\SYSTEM32\Cache\trgen_fran-162813.exe -> Spyware.HotSearchBar.d : Cleaned with backup
C:\WINDOWS\SYSTEM32\coqnqqb.exe -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\WINDOWS\SYSTEM32\pgbibbt.dll -> TrojanDownloader.Qoologic.i : Cleaned with backup
C:\WINDOWS\SYSTEM32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\psis80ex.ax/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Cleaned with backup
C:\WINDOWS\SYSTEM32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Cleaned with backup
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\winup2date.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

It found a lot of stuff and cleaned most of it I think. The machine still won't connect to the internet. Does this from the HJT log have something to do with that?

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

Thanks for your help!

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:34 AM

Posted 10 September 2005 - 06:22 AM

Let's see what's in there before we take that one on.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post



Posted Image
Life is what happens while you're making other plans

#5 monsoon

monsoon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 October 2005 - 10:33 AM

Sorry it took so long...they went on a long vacation. Here it is. Thanks.

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Broadcom Advanced Control Suite
Business Contact Manager for Outlook 2003
Conexant SmartHSFi V.9x 56K DF PCI Modem
DA920EN
DAO
Dell AIO Printer A920
Dell Digital Jukebox Driver
Dell Media Experience
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digital Line Detect
DS21Patch
DVD43 v3.0.4
DVDSentry
ewido security suite
HijackThis 1.99.1
ICopyDVDs2 3.2.3
Java 2 Runtime Environment, SE v1.4.2
Lavasoft VX2 Cleaner
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Mavis Beacon Teaches Typing
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Small Business Edition 2003
Modem Helper
Mozilla Firefox (1.0.6)
Musicmatch® Jukebox
NetWaiting
Outlook Express Q837009
Paint Shop Pro 7
Poppit To Go
PowerDVD
Quicken 2002 Deluxe
QuickTime
RealPlayer
RealRhapsody
SBC Yahoo! Applications
SBC Yahoo! Messenger
Shockwave
ShopAtHomeSelect Cash Back
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
WebCam for MSN Messenger
Windows AFA Internet Enhancement
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WinZip
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm Security Suite

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:34 AM

Posted 19 October 2005 - 02:43 PM

No problem, I'm around somewhere. I didn't get notified, so sorry for the late respons.

Remove ShopAtHomeSelect Cash Back
Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

Use Windows Explorer to remove this folder:
C:\Program Files\MySearch\

***

Download LSPfix.

To start the LSPfix....Close all windows except LSPfix

Launch LSPfix.zip and install to its own folder, then click on LSPfix.exe. Or click on LSPfix.exe and it will launch the program.

In the left hand (keep) LSPfix window there will be a list of files including newdotnet6_38.dll.

Put a check mark in the box “I know what I am doing”

Move all instances of the newdotnet6_38.dll, from the left window (keep) to the right window (remove) by highlighting the file or files and clicking the arrow.

Click ‘Finish’

***

Reboot the computer.

***

Use Windows Explorer to remove this folder:
c:\program files\newdotnet\

***

Is the computer running ok now?


Posted Image
Life is what happens while you're making other plans

#7 monsoon

monsoon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 27 October 2005 - 09:55 PM

Yes! They are back to surfing. There are still quite a few pop ups. We HTTPd into their DSL router and got pop ups...Spybot, adaware and ewido all found stuff, and we got rid it all, but the pop ups persist. I'm thinking there is still something there...anything else to run?

Thanks so much!

#8 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:34 AM

Posted 28 October 2005 - 01:17 PM

Let's see what we can find.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log”
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from notepad into your post



Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users