Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi all, hope you canhelp me out :)
When I open IE6 to surf the good ol' WWW I get shortcuts for url's saved to my desktop. I check the properties of the shortcuts to see what website they take you to (I never followthem btw), and they seem to lead to the netpalnow website in the main.
They are basicaly spam links to things like 'Win $6million' or 'Boost your PC'.
I've run Adaware and swat it and both say the PC is clean. I have searched the registry for known keys (things like the Transponder bug and IgetNet). Found some but they are now deleted. The shortcuts still appear on the desktop though. I only seem to get them when on certain sites (not porn or dodgy ones I hasten to add) like Orange and Sony's sites. It's driving me nuts so any help would be really appreciated.Thanks in advance.
Let's have a look,
Download and run a scan with Hijack This. Dont make any changes, just click on Save Log, copy it and post it back in this thread.
0 
Thanks for looking into this for me Tom41, here is the hijackthis log: (do you think the 02 BHO's could be at fault?)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\lwz.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINNT\System32\veg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.exe -b
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Copy Location - C:\WINNT\WEB\graburl.htm
O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Offline (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
I am having the exact same problem and it's driving me insane!!!!!!!!! I can't count the number of these doohickeys in my recycle bin! I want to PERMANENTLY delete these!!!!! Any help would be GREATLY APPRECIATED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Also, I'm wondering if these shortcuts are making my puter want to dial up when I'm offline.....
0
I'm having the same problem as well! Any tips on what to do to STOP IT!! So annoying!
Along with the desktop shortcuts, I also noticed that whatever this is, it is also adding "Favorites" to my internet explorer list. Has anyone else noticed this happening?
0
Yes, the same thing is happening to me! A folder called "Software & Internet" with lots of links.
BAD spy people!
I was able to download a free program called SPYBOT S&D and it found all kinds of nastys on my puter. I had it fix the problems, but don't know if it worked yet. I only did that last evening.... Will keep you posted.
I see that folder is still in my favorites, so it must not have deleted those..... :o(
0
Same thing happening to me. It started when I downloaded imesh. I found something in the registry thats named cydoor. If you go to the cydoor website they produce pop-up killers, icon drops, banners etc.... When you intall imesh, kaza etc... you get cydoor products (lucky us). I emailed them to find out how to make it stop. I'll post when I find an answer....
0
Try this:
Removal Procedure:
(Also courtesy of Privacy Power)1.Delete the following files (usually found in C:\WINDOWS\SYSTEM\):
CD_CLINT.DLL
CD_GIF.DLL
CD_HTM.DLL
CD_SWF.DLL
CD_LOAD.EXE
2.Delete the ADCACHE folder and its contents (usually found under C:\WINDOWS\SYSTEM\).3.Remove Cydoor and Cydoor Services from the Windows Registry. The following Cydoor keys were added in my Windows 98 Registry and are shown for reference only:
HKEY_CURRENT_USER\Software\Cydoor\
HKEY_CURRENT_USER\Software\Cydoor Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Cydoor=CD_Load.exe
0
Download and install Spybot S&D http://security.kolla.de/ then fix all items found by Spybot. Then run a virus scan (I don’t see you have one installed in startup).
After doing the above using HijackThis fix the following:
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
The following items are for FavoriteMan which is a IE Browser Helper Object. Every so often it connects to its controlling servers, which may direct it to download and install other programs and add entries to the IE Favorites menu or background Desktop.NetPal is an IE Browser Helper Object from Mindset Interactive. Netpal (netpalnow) Was installed by the FavoriteMan trojan, possibly also bundled with other software. Is downloadable through ActiveX at the site www.netpalnow.com; however, that site also used to distribute the original Transponder parasite under the same 'NetPal' name.
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
FavoriteMan/FOne is a replacement for the Lwz variant. Filename is FOne.dll, data file is SysLdr.dll. Controlling server is www.f1organizer.com.O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\lwz.dll
FavoriteMan/Lwz installs lwz.dll. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINNT\System32\veg32.dll
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)This is the pop-up reminder to register your Creative Labs SoundBlaster Live card. It could be removed.
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exeO4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.exe –b
winstart001.exe: IGetNet is a plug-in search addition to your IE Browser that will redirect your searching to customers of IGetNet. May disable other browser plug-ins. Suggest to uninstall this software.
0
PaulG. I thought I would mention Spybot S&D should detect and remove Netpal. After running Spybot, what is left (on the above list) fix using HijackThis.
0
Ellenr, CathleenAH Install and Run Spybot S&D http://security.kolla.de/
And as Tom41 said download and run a scan with HijackThis http://www.spywareinfo.com/files/hijackthis.zip. Don't make any changes, just click on Save Log, copy it and post it back in this thread. Note: If I may, I also recommend the guys at http://www.spywareinfo.com/forums/index.php?s=f90fed280400c9e9567f1ae67b0d7938 for personal help.
"matthewbrewer22" Spybot S&D will get rid of the spyware you talk about if you choose to.
0
PaulG, Looking over everything again, fix the following using HijackThis also if Spybot did not get rid of it..
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
IGetNet is a keyword-search service implemented as an IE Browser Helper Object and a process run at Windows start-up (WinStart.exe) which writes to the Hosts file, so that every time you try to contact MSN or Netscape's search sites you are re-routed though IGetNet's servers (ignkeywords.com, rspsearch.com). Bundled with P2P apps and software downloaded from 'Blue Haven Media', also installed by the FavoriteMan parasite
0
PaulG, LOL I keep looking at this and find I need to make more comments. If you fixed this item O4 - HKLM\..\Run: WinStart001.EXE] C:\WINNT\System\WinStart001.exe –b then After rebooting go and delete WinStart001.exe from Windows.
0
Logfile of HijackThis v1.94.0
Scan saved at 5:06:58 PM, on 5/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\GoogleToolbar_en_1.1.57-deleon.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.57-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.57-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.57-deleon.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.57-deleon.dll/cmsimilar.html
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=20035214
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/27d905cc61fa52215321/netzip/RdxIE.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauthwb/internetwasherpro.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37604.7606481481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
0
Ellenr, these are the only things to fix using HijackThis. Spybot S&D made this Logfile pretty boring LOL.
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
This is a Hijacker that redirects to www.Featured-Results.com (the site is at present unavailable)O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
This was part of Netpal (netpal.dll)O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
(9=DailyWinner)
0
Ellenr, here an additional BHO to fix
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
Read this article about nzdd.dll
http://editor.actrix.co.nz/byarticle/spyw.htm
0
Thanks, Setter! I appreciate all your work here. (sorry I was so boooorrrrring! *ha*) I'm sure others appreciate you, too! :o) Have a great day!
PS: I'll check out that article now....
0
Ellenr, your welcome.
Here is one more that needs to be fixed using HijackThis that is related to the nzdd.dll BHO file you removed above.Sorry I did not catch it previously.
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/27d905cc61fa52215321/netzip/RdxIE.cab
If you still have POP-UPS at least they are not Spyware related. I highly recommend the program Proxomitron for stopping html page pop-ups and much more, and it's free.
0
Hi, I have the same problem as Ellenr. I have used Spybot first. It fixed most of the problems but few are still left(IMsearch, as the system replies that may be in use :( Now I am posting the log of Hijackthis. Can some one help me.
Logfile of HijackThis v1.94.0
Scan saved at 2:18:41 PM, on 5/18/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchandclick.com/left.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [gnetmous] C:\Program Files\KYE\Genius Wireless Keyboard+Mouse\gnetmous.exe
O4 - HKLM\..\Run: [Wireless Keyboard] C:\Program Files\KYE\Genius Wireless Keyboard+Mouse\mHotkey.exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [mHotKey] C:\PROGRA~1\GENIUS~1\mHotkey.exe
O4 - HKLM\..\Run: [mouseElf] C:\Program Files\Genius NetScroll Wireless\mouseElf.exe
O4 - HKLM\..\Run: [piiserviceOE] "e:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.exe -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra button: iFinger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://comp.mediaring.com/partner/pcphone/wbaxuiph311.cab
O16 - DPF: {486A6DF7-2C1A-4B76-A245-0B6BB73D49D4} (HTMessenger.VoiceRecord) - http://www.hottelelink.com/Includes/HTMessenger.CAB
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/MCP/tools/MCPTranscriptPrint.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {72B09CA7-1B59-454E-95D9-461A9227B785} (UIWrapper Class) - http://comp.mediaring.com/consumer/pcphone/ver1.2.5.0/wbsc125.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8A432E6A-1DFC-41CE-B964-2C154F43BA1C} - http://66.35.195.125/nettelephone/client/upgrade/NetTelephoneCom-v357.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.com/download/PDMSInstaller.cab
O16 - DPF: {9F1B3C56-3A72-11D1-A98B-0060970D6758} (SuperMenu Control) - file://H:\SETUP\MCMenu.CAB
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://J:\system\intralaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://193.159.183.138/install/StarInstall.ocx
0
Also I have set my IE 6 seb page start up to be blank, but when I open IE, its written in the address bar"Enter key word to search" I know that is some pop up freaky thing and I want to get rid of that as well.
0
fmufti, I recommend going to the people at http://www.spywareinfo.com/forums/index.php?s=f90fed280400c9e9567f1ae67b0d7938. Please post your problem and HijackThis logfile at the site in the "Browser Hijacking Forum" They will inform you of the next step or what to do.
You have components of:
"GoHip" (which is an adware program)
"BrowserAid" (Adware Program which opens untargeted pop-up's)
and possibly the "FavoriteMan" parasiteYour post will get the utmost attention and care from everyone, along with many different sets of eyes (not just me), and a ton of spyware/adware experience.
----------
To everyone that runs into this thread I highly recommend the same course of action.http://www.spywareinfo.com/forums/index.php?s=f90fed280400c9e9567f1ae67b0d7938
The creator of HijackThis and StartupList and many other Spybot Team Members use this site as homebase.
Besides, I am glad I remembered this thread number or I probably would not have seen this again. Remember usually in this type of forum once an answer has been given the thread is forgotten.
Thanks
0
fmufti, Oh my gosh you also have a "dialer"
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://193.159.183.138/install/StarInstall.ocx
http://www.spywareinfo.com/forums/index.php?s=f90fed280400c9e9567f1ae67b0d7938
SEE THE PEOPLE AT SPYWAREINFO IMMEDIATELY or this could cost you a lot of money in phone charges.
0
Thanks I have posted the log on the forum, but as you have replied to this post, if you could solve my problem that would be great.
0
fmufti, Good show you did post there!
I mentioned that you have components of: "GoHip" (which is an adware program) and "BrowserAid" (Adware Program which opens untargeted pop-up's) and possibly the "FavoriteMan" parasite. I believe the FavoriteMan parasite installs BrowserAid but I don’t know about GoHip. Also did see you have a dialer. I did not mean to imply that they where all still full programs ready to do there thing anymore. Just components of...
More than likely since you have run Spybot S&D (with all the latest updates I assume) that the people over there will just have you fix the following using HijackThis:
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.exe –b
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
http://193.159.183.138/install/StarInstall.ocx (Dialer)
Rather than just have you fix the above and miss anything I think it is better to have many eyes looking at it. The people at http://www.spywareinfo.com keep up with the latest therefore may suggest other items as well.
Besides if there is anything new, they will notify the developers of the anti-spyware programs so the items can be targeted for future releases.
0
fmufti, Well there you go follow the advice given at http://www.spywareinfo.com and DON'T fix the following item for the reasons given:
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
-----------------------
Whoops I did not give the full name above for the dialer it should have been:O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} -http://193.159.183.138/install/StarInstall.ocx
Well it does not matter, notice that they also suggested additional items for fixing.
0
Don't use spyware programs and such to solve your problems. You need to investigate a little bit on the internet, at the corporate websites. I went to the some websites and they had me download a uninstaller. Of course, it did nothing. But it gave me a name, NLN. I searched for NLN in my computer, and found a application and a .dll in my windows system folder, of the same names. Turns out NLN stood for natural language navigation, a spyware program that was hiding from me. I did a hexview on it, and low and behold, it was owned by igetnet. I deleted it, and that spyware specifically was gone. Whats going on now is that the spyware is going straight into the system folder, and giving itself a weird name to avoid the search. Spyware removal programs simply search for names in an index it carries, which goes out of date in a month or so. And whos to say those programs arent spyware themselves? The best way is to go it alone and play detective to find the specific file and manually delete it.
By the way, all this spyware on my computer came from imesh. imesh is probably the worst when it comes to third party software.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
