TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Animesh on November 30, 2004, 10:59:21 PM
-
Hi,
Few days back I found bargain.exe installed on my system. I don;t know how but it happened. Then after I kept on trying to remove bargain but it was not working. Letter I found some help on net and somehow able to get rid of it. But pop-up still appearing. Not sure why.
I am pasting the Hijack log below. Please help.
Logfile of HijackThis v1.97.7
Scan saved at 11:05:49 AM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Remote Access\Cisco VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Animesh\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=107312 (http://\"http://www.couldnotfind.com/search_page.html?&account_id=107312\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=107312 (http://\"http://www.couldnotfind.com/search_page.html?&account_id=107312\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=107312 (http://\"http://www.couldnotfind.com/search_page.html?&account_id=107312\")
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Portal Software VPN Client.lnk = C:\Program Files\Remote Access\Cisco VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab (http://\"http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...bdb35b5342e9fc3 (http://\"http://public.windupdates.com/get_file.php?bt=ie&p=c695addc126925fea4417da94491be1358d22cd05c4cc745395a86b3c678a9882f0d979c46d71b06b9c2991aeeb9cbb0c21bd1927eb34e862c26b9b49d65dd615c:90c9c6e760fb23a76bdb35b5342e9fc3\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab (http://\"http://download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096386280492 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096386280492\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB (http://\"http://community.webshots.com/html/WSPhotoUploader.CAB\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O17 - HKLM\System\CS1\Services\Tcpip\..\{466555B1-3C2C-4F24-A80C-CA9CBBC06AEF}: NameServer = 203.195.198.66,203.195.188.66
Rgds,
Animesh
-
Hi Animesh, I see you have Ad-watch running on your computer it's a great defense, but unfortunately it can deter from doing any fixes as it protects homepage settings and certain areas of the registry
Can you please disable Ad-Watch and RESTART your computer
Keep Ad-watch disabled until we have you totally clean
This link will explain how to disable it
http://www.lavasofthelp.com/faq/adwatchauto.shtml (http://\"http://www.lavasofthelp.com/faq/adwatchauto.shtml\")
Before Restarting your computer, can you Access your Add/Remove Programs and Remove if found
Twain-tech
Wind updates
Then restart your computer
Back in Windows:
Speaking of Ad-watch, having this running tells me you have the paid version of Ad-Aware 6
Unfortunately, as of the beginning of November Ad-Aware 6 is no longer supported and
paid members, and free versions are being recommended to update
This link will explain how to update
http://www.lavasoftusa.com/ (http://\"http://www.lavasoftusa.com/\")
Click on
Important notice for users of Ad-Aware 6 all versions!
Again, don't enable Ad-watch after upgrading
If for some reason you can't update, you should install the latest free version
I can supply a link later
After you have upgraded and Checked for updates
Don't run a scan yet
Instead, can you Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
This is free and compliments Ad-Aware very well
I use both, and they are both recommended
Spybot 1.3 is the latest version, if your using a later version, please uninstall it and install this one
During installation, please don't enable TEA TIMER
This works much like Ad-Aware's Ad-watch and will or may prevent any fixes
After installation--SEARCH FOR UPDATES
Check and download All updates
Again, don't run this yet
Download and save to desktop the Standalone version of CWShredder (http://\"http://www.download.com/3001-8022_4-10329103.html\")
Close out all browsers, including this window
Double click to Run CWInstall
In CWShredder click the FIX button
Let it FIX all problems
RESTART your computer
Back in Windows
Open Ad-Aware SE Personal 1.05 if you updated
Be sure to Check for updates
Set these additional options if not checked already
Open Ad-aware---Click the GEAR at the top
# Click on the General button on the left hand side.
1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Automatically save logfile
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)
# Next click on the Advanced button on the left hand side.
1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Include additional object information
2. Include negligible objects information
3. Include environment information
4. Include Alternate data stream details in log file
# Next click on the Tweak button on the left hand side.
1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Include basic Ad-Aware settings in logfile
2. Include additional Ad-Aware settings in logfile
2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Unload recognized processes & modules during scan
2. Scan registry for all users instead of current user only
3.
Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Always try to unload modules before deletion
2. During removal, unload Explorer and IE if necessary
3. Let Windows remove files in use at next reboot
Once these settings have been completed, you should click on the Proceed button
Make sure you change the scan mode to Perform full system scan. Then uncheck the Search for negligible risk entries.
Step 5: Start the Actual Scan--you should close out all browser windows before you start scanning
Now click on the Next button to have Ad-Aware SE start scanning your system. Ad-Aware SE will start scanning your system for Spyware and Hijackers
When it's finished scanning
At this point you should either right click on the screen and choose the "Select All Objects" option or individually put a checkmark in each objects checkbox
click on the "Next" button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. If you would like to do so, press the "OK" button
RESTART your computer to finish the cleaning process
Back in Windows:
Open Spybot
Ensure you search for updates and download them all
Click on the SEARCH AND DESTROY button on the left
Click the "Check for Problems"
Let it complete the scanning
All entries in RED should be checked by default after the scan
If not, Check all RED entries, Green are optional
Choose "Fix selected entries"
Restart your computer one more time to finish the cleaning
Back in windows:
The latest version of Hijackthis is Hijackthis 1.98.2
Open Hijackthis>>>Config>>Misc Tools>>Check for updates online
If for some reason it won't update
Download the latest version from HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to a permanent folder on your hard disk
Post back with a fresh hijackthis log from the latest version and we'll try and get rid of the leftovers when you have completed the above