pop up's

[Animesh]

Hi,

Few days back I found bargain.exe installed on my system. I don;t know how but it happened. Then after I kept on trying to remove bargain but it was not working. Letter I found some help on net and somehow able to get rid of it. But pop-up still appearing. Not sure why.

I am pasting the Hijack log below. Please help.

Logfile of HijackThis v1.97.7
Scan saved at 11:05:49 AM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Remote Access\Cisco VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Animesh\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=107312
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Portal Software VPN Client.lnk = C:\Program Files\Remote Access\Cisco VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...bdb35b5342e9fc3
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096386280492
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{466555B1-3C2C-4F24-A80C-CA9CBBC06AEF}: NameServer = 203.195.198.66,203.195.188.66

Rgds,
Animesh

[guestolo]

Hi Animesh, I see you have Ad-watch running on your computer it's a great defense, but unfortunately it can deter from doing any fixes as it protects homepage settings and certain areas of the registry
Can you please disable Ad-Watch and RESTART your computer
Keep Ad-watch disabled until we have you totally clean
This link will explain how to disable it
http://www.lavasofthelp.com/faq/adwatchauto.shtml

Before Restarting your computer, can you Access your Add/Remove Programs and Remove if found
Twain-tech
Wind updates
Then restart your computer

Back in Windows:
Speaking of Ad-watch, having this running tells me you have the paid version of Ad-Aware 6
Unfortunately, as of the beginning of November Ad-Aware 6 is no longer supported and
paid members, and free versions are being recommended to update
This link will explain how to update
http://www.lavasoftusa.com/
Click on    
Important notice for users of Ad-Aware 6 all versions!

Again, don't enable Ad-watch after upgrading
If for some reason you can't update, you should install the latest free version
I can supply a link later

After you have upgraded and Checked for updates
Don't run a scan yet

Instead, can you Download and Install Spybot S&D 1.3
This is free and compliments Ad-Aware very well
I use both, and they are both recommended
Spybot 1.3 is the latest version, if your using a later version, please uninstall it and install this one
During installation, please don't enable TEA TIMER
This works much like Ad-Aware's Ad-watch and will or may prevent any fixes
After installation--SEARCH FOR UPDATES
Check and download All updates
Again, don't run this yet

Download and save to desktop the Standalone version of CWShredder
Close out all browsers, including this window
Double click to Run CWInstall
In CWShredder click the FIX button
Let it FIX all problems
RESTART your computer

Back in Windows
Open Ad-Aware SE Personal 1.05 if you updated
Be sure to Check for updates
Set these additional options if not checked already
Open Ad-aware---Click the GEAR at the top
# Click on the General button on the left hand side.

   1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Automatically save logfile
         2. Automatically quarantine objects prior to removal
         3. Safe Mode (always request confirmation)

# Next click on the Advanced button on the left hand side.

   1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Include additional object information
         2. Include negligible objects information
         3. Include environment information
         4. Include Alternate data stream details in log file

# Next click on the Tweak button on the left hand side.

   1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Include basic Ad-Aware settings in logfile
         2. Include additional Ad-Aware settings in logfile

   2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Unload recognized processes & modules during scan
         2. Scan registry for all users instead of current user only

   3.
      Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Always try to unload modules before deletion
         2. During removal, unload Explorer and IE if necessary
         3. Let Windows remove files in use at next reboot

Once these settings have been completed, you should click on the Proceed button

Make sure you change the scan mode to Perform full system scan. Then uncheck the Search for negligible risk entries.

Step 5: Start the Actual Scan--you should close out all browser windows before you start scanning

Now click on the Next button to have Ad-Aware SE start scanning your system. Ad-Aware SE will start scanning your system for Spyware and Hijackers

When it's finished scanning
At this point you should either right click on the screen and choose the "Select All Objects" option or individually put a checkmark in each objects checkbox
click on the "Next" button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. If you would like to do so, press the "OK" button
RESTART your computer to finish the cleaning process

Back in Windows:
Open Spybot
Ensure you search for updates and download them all
Click on the SEARCH AND DESTROY button on the left
Click the "Check for Problems"
Let it complete the scanning
All entries in RED should be checked by default after the scan
If not, Check all RED entries, Green are optional
Choose "Fix selected entries"

Restart your computer one more time to finish the cleaning

Back in windows:
The latest version of Hijackthis is Hijackthis 1.98.2
Open Hijackthis>>>Config>>Misc Tools>>Check for updates online
If for some reason it won't update
Download the latest version from HERE or HERE
Save it to a permanent folder on your hard disk

Post back with a fresh hijackthis log from the latest version and we'll try and get rid of the leftovers when you have completed the above