Home Search Spyware

  1. 22-09-2004  #1
    pleli
    pleli is offline Newbie

    Smile Re: ads234 problem

    Hi, my computer is infected with the "home search" adware and I need some help getting rid of it. I downloaded hijackthis-v1.98.2 and ran it with these results:Logfile of HijackThis v1.98.2
    Scan saved at 10:48:20 AM, on 9/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ieaa32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Exit Killer\Ekiller.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\atlkw.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Pat\Local Settings\Temporary Internet Files\Content.IE5\S5UV8HMN\hijackthis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sehdo.dll/sp.html#23999
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Pat\Application Data\Mozilla\Profiles\default\xwnttxo3.slt\prefs.j s)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Pat\Application Data\Mozilla\Profiles\default\xwnttxo3.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C8C8A151-76F3-510A-98BE-BFE138C95A1A} - C:\WINDOWS\system32\atlwh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ExitKiller] C:\Program Files\Exit Killer\Ekiller.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atlkw.exe] C:\WINDOWS\atlkw.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsa vings_script0.htm
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
    O10 - Broken Internet access because of LSP provider 'vnsp.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_1_0.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

    Any help would be greatly appreciated.
  2. 23-09-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    1. ActiveServices ...
      • Please download GetService.zip
      • Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.
      • getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here.
    From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
  3. 23-09-2004  #3
    pleli
    pleli is offline Newbie
    The getservice text document was too large to post, so I split it into 2 parts:
    Attached Files
  4. 23-09-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    1. Download AboutBuster. Unzip it to c:\aboutbuster but don't run it yet we'll do that later on down in this list in SAFE MODE.
    2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process. With that in mind, read through the instructions and download all necessary files ahead of time. Opening IE may cause the fix to fail
    3. Make sure your PC is configured to show hidden files. Open Windows Explorer & Go to "Tools" => "Folder Options". Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK"
    4. Reboot to Safe Mode => How do I boot into safe mode?
    5. Next, go to Start => Run and type "Services.msc" (without quotes) then hit Ok. Scroll down and find the service called
      • Network Security Service

      When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
    6. Press control-alt-delete to get into the task manager and end the follow processes if they exist:
      • ieaa32.exe
    7. Run HijackThis and put checks next to all the following, then click "Fix Checked":
      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sehdo.dll/sp.html#23999
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
        R3 - Default URLSearchHook is missing
        O2 - BHO: (no name) - {C8C8A151-76F3-510A-98BE-BFE138C95A1A} - C:\WINDOWS\system32\atlwh.dll
        O4 - HKLM\..\Run: [atlkw.exe] C:\WINDOWS\atlkw.exe
    8. Delete the following files if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):
      • C:\WINDOWS\system32\atlwh.dll
        C:\WINDOWS\atlkw.exe
        C:\WINDOWS\system32\ieaa32.exe
    9. Next, we will remove the offending service.
      1. Go to "Start" => "Run" and type in regedit and press "Enter".
      2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\O?’ŽrtñåȲ$Ó.
      3. If O?’ŽrtñåȲ$Ó exists , right click on it and choose delete from the menu.
      4. Now navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_O?’ŽrtñåȲ$Ó
      5. If LEGACY_O?’ŽrtñåȲ$Ó exists then right click on it and choose delete from the menu.
      6. If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
    10. Browse to c:\aboutbusterand double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
    11. Copy the contents of the Quote Box below (Listed after all steps) to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop
    12. Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
    13. Run Ad-Aware with the latest update.
      1. Download the latest version of Ad-Aware (Ad-Aware SE Build 1.03) from here.
      2. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
      3. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
      4. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
      5. Once the definitions have been updated:
      6. Reconfigure Ad-Aware for Full Scan as per the following instructions:
        • Launch the program, and click on the Gear at the top of the start screen.
        • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
          • "Automatically save logfile"
          • Automatically quarrantine objects prior to removal"
          • Safe Mode (always request confirmation)
          • Prompt to update outdated confirmation) - Change to 7 days.
        • Click the "Scanning" button (On the left side).
        • Under Drives & Folders, select "Scan within Archives"
        • Click "Click here to select Drives + folders" and select your installed hard drives.
        • Under Memory & Registry, select all options.
        • Click the "Advanced" button (On the left hand side).
        • Under "Shell Integration", select "Move deleted files to Recycle Bin".
        • Under "Log-file detail", select all options.
        • Click on the "Defaults" button on the left.
        • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
        • Click the "Tweak" button (Again, on the left hand side).
        • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
          • "Unload recognized processes during scanning."
          • "Obtain command line of scanned processes"
          • "Scan registry for all users instead of current user only"
        • Under "Cleaning Engine", select the following:
          • "Automatically try to unregister objects prior to deletion."
          • "During removal, unload explorer and IE if necessary"
          • "Let Windows remove files in use at next reboot."
          • "Delete quarrantined objects after restoring"
        • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
        • Click on "Proceed" to save these Preferences.
        • Click on the "Scan Now" button on the left.
        • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
      7. Close all programs except ad-aware.
      8. Click on "Next" in the bottom right corner to start the scan.
      9. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
      10. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
    14. Clean out temporary and temporary Internet files. Go to "Start" => "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "ok" to remove:
      • Temporary Files
      • Temporary Internet Files
      • Recycle Bin
    15. Reboot to normal mode.
    16. NOTE: Two, possibly three files may have been deleted from your computer by the hijacker and may need to be replaced:
      • Control.exe. If control. exe is missing go to merijn and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
      • hosts (with no extension). Download the Hoster. Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
      • SDHelper.dll (if you are using Spybot Search & Destroy). If you have Spybot S&D installed and SDHelper.dll is missing, replace it with this one. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
    17. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.In IE, click on "Tools" => "Internet Options" and under the "Security" tab, click on "Custom Level" and make sure that the following settings are correct:
      • Download signed ActiveX controls (Prompt)
      • Download unsigned ActiveX controls (Disable)
      • Initialize and script ActiveX controls not marked as safe (Disable)
      • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
      • Script ActiveX controls marked safe for scripting (Prompt)
    18. Do an online scan at TrendMicro's site. Let it remove any infected files found.
    19. Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review.
    Quote box for Step #11
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]
  5. 26-09-2004  #5
    pleli
    pleli is offline Newbie
    Thanks for your help Owen. Here are the new logs from hijackthis and aboutbuster:Logfile of HijackThis v1.98.2
    Scan saved at 8:19:48 AM, on 9/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Exit Killer\Ekiller.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Microsoft Hardware\Mouse\POINT32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Pat\My Documents\My Videos\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jylah.dll/sp.html#23999
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Pat\Application Data\Mozilla\Profiles\default\xwnttxo3.slt\prefs.j s)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Pat\Application Data\Mozilla\Profiles\default\xwnttxo3.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {66E7A648-A2D0-B506-715E-8D564D8364C2} - C:\WINDOWS\system32\netoq32.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ExitKiller] C:\Program Files\Exit Killer\Ekiller.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atlkw.exe] C:\WINDOWS\atlkw.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsa vings_script0.htm
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
    O10 - Broken Internet access because of LSP provider 'vnsp.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_1_0.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

    Scanned at: 8:42:39 AM on: 9/26/2004


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Deleted 1 Service Keys Successfully!
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    -- Scan 2 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!
  6. 26-09-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Post another GetActiveServices log. Stay online until I answer you. I will do it as soon as you have posted the log.
  7. 27-09-2004  #7
    pleli
    pleli is offline Newbie
    Owen, here is the new aboutbuster log:Scanned at: 8:42:39 AM on: 9/26/2004


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Deleted 1 Service Keys Successfully!
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    -- Scan 2 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!






    Scanned at: 9:13:56 AM on: 9/27/2004


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!
  8. 28-09-2004  #8
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    pleli, please could you post a new GetActive Services log, the one that you attached above.

    Make sure you do leave your computer logged on and keep IE closed throughout the removal process. If you don't leave your computer logged on, we will just go into a constant circle of fails. If you can't leave your computer on, send me a Private Message and we'll arrange a time that both you and I will be Online so we can sort out the problem.
+ Reply to Thread
« midaddle/ads234 problem, hijack this log included | ADS234 again... »