Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I got recomended this product from Kazaa (which is spyware, plain and simple), I DIDN'T WANT IT AT ALL.It drives me nuts.I HAVEN'T installed it yet so while browsing it pops up constantly to begin download.How do i get rid of this?How do i remove it?
Even turning the computer off became a complete & total impossibility. I can rarely exit Windows properly, but have to cut power & go through Scandisk again & again. More and more programs are constantly committing "illegal operations" .
It severely lagged my internet connection, which means it's a no-go. It's like "goodbye speed, hello lag".And all the 'good' comments I've read are done by makers to sell this product.Terrible program. its pathetic to think they have to use this method to sell this piece of junk.
I can't stand it. I don't think it's legal to impose a software onto somebody!
Some advice would be great. Thanks.
Let's see where it is loading from, Download 'Hijack This!'.Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
0 
Here it is:
Logfile of HijackThis v1.95.0
Scan saved at 12:47:13, on 13.07.2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.exe
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.exe
C:\PROGRAM FILES\HYPERTECHNOLOGIES\DEEP FREEZE\FRZSTATE.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\ANTI-TROJAN-55\ATWATCH.exe
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER STANDARD EDITION\BDMCON.exe
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER STANDARD EDITION\VSSERV.exe
C:\WINDOWS\TEMP\BULLGUARD\BULLDOWNLOAD.exe
C:\WINDOWS\DESKTOP\EXTREME\MIRC.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\DESKTOP\EXTREME\MIRC.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\NOTEPAD.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=ftp=80.97.67.22:8080;http=80.97.67.22:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadFonts] C:\WINDOWS\FONTS\Tahoma.vbs
O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\PROGRAM FILES\ANTI-TROJAN-55\ATWatch.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Standard Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BitDefender Virus Shield] C:\Program Files\Softwin\BitDefender Standard Edition\\vsserv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Program Files\Softwin\BitDefender Standard Edition\\bdinit.exe
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [DepFrz] C:\Program Files\HyperTechnologies\Deep Freeze\FrzState.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = milenium.cristalsoft.ro
0
It's listed as a running process but I don't see any registry 'run' entry for it.
C:\WINDOWS\TEMP\BULLGUARD\BULLDOWNLOAD.exeSee if it is listed at the following location:
Click Start > Run > type regedit and click OK
Click the + next to the following keysHKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current VersionScroll down and click on the RunOnce folder. Look in the right hand window and see if it is listed there, if so right click on it and click delete. close regedit.
Restart in MS-DOS and type the following commands at the C:\Windows> prompt.
smartdrv
deltree /y temp
exitIt also appears that you may have a trojan:
O4 - HKLM\..\Run: [LoadFonts] C:\WINDOWS\FONTS\Tahoma.vbs
Have HijackThis fix the above entry and reboot. Delete the Tahoma.vbs file.
0
Update: Tahoma.vbs is a homepage hijacker.
Run HijackThis again and have it fix the following as well:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchgateway.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=ftp=80.97.67.22:8080;http=80.97.67.22:8080
0
I checked the RunOnce folder and nothing seems to be listed in the right hand window, but "(Default) (value not set)
..what am i supposed to do now?
0
Open HijackThis and click 'Config' and 'Misc Tools'. Then click 'Generate Startuplist log'. Copy and paste that log in a reply.
0
StartupList report, 13.07.2003, 14:44:13
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.exe
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.exe
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.exe
C:\PROGRAM FILES\HYPERTECHNOLOGIES\DEEP FREEZE\FRZSTATE.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\ANTI-TROJAN-55\ATWATCH.exe
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER STANDARD EDITION\BDMCON.exe
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER STANDARD EDITION\VSSERV.exe
C:\WINDOWS\TEMP\BULLGUARD\BULLDOWNLOAD.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\DESKTOP\EXTREME\MIRC.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\NOTEPAD.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\WINHLP32.exe
C:\WINDOWS\REGEDIT.exe
C:\WINDOWS\NOTEPAD.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exe---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LoadQM = loadqm.exe
LoadFonts = C:\WINDOWS\FONTS\Tahoma.vbs
AT-Watch = C:\Program Files\Anti-Trojan-55\ATWatch.exe
Anti-Trojan-Watch = C:\PROGRAM FILES\ANTI-TROJAN-55\ATWatch.exe
BDMCon = C:\Program Files\Softwin\BitDefender Standard Edition\\bdmcon.exe
BitDefender Virus Shield = C:\Program Files\Softwin\BitDefender Standard Edition\\vsserv.exe---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesLoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
BitDefender Live! Init = C:\Program Files\Softwin\BitDefender Standard Edition\\bdinit.exe
BitDefender Communicator = C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
BitDefender Scan Server = C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
DepFrz = C:\Program Files\HyperTechnologies\Deep Freeze\FrzState.exe---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runmsnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe" /background
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet---------------------
C:\AUTOEXEC.BAT listing:
SET BLASTER=A220 I5 D1 T4
C:\CFG801
C:\DOS801
mode con codepage prepare=((852) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=852---------------------
Enumerating Download Program Files:[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab---------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
---------------------
End of report, 4.381 bytes
Report generated in 0,453 secondsCommand line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
0
Hmmm, Try doing this, Run HijackThis and place a check in the box next to the following and click 'Fix checked'.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchgateway.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchgateway.net/search/%s
O4 - HKLM\..\Run: [LoadFonts] C:\WINDOWS\FONTS\Tahoma.vbsand this one unless you are using proxies out of Romania
R1-HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=ftp=80.97.67.22:8080;http=80.97.67.22:8080Reboot to safe mode and delete Tahoma.vbs and empty the recycle bin. Then delete BULLDOWNLOAD.exe. Leave it in the recycle bin and reboot to Windows. Did you get any error messages?
Did you have a DOS prompt open when you ran HT and Startuplist?
0
Try KaazaBeGone from http:www.spywareinfo.com/~merijn/index.html It removes Kazaa and all the crap associated with it like BULL GUARD!
0
I can't reboot it in safe mode. I've tryied everything i know, CTRL, F5, F8, even typing "win /d:m" from ms-dos.
I'm going nuts.
Could i have some more help on it?
Meanwhile I ran HijackThis and fixed those files.
0
Click Start > Run > type msconfig and click OK. Click the 'Advanced' button and check 'Enable Startup Menu. Click OK/OK and reboot. The menu should appear on the restart, choose safe mode.
0
I've tryied that too, nothing seems to happen, it continues starting in normal mode.
I can't get to the menu from which to select Safe Mode.
Couldn't i just delete Bulldownload.exe from CC:\WINDOWS\TEMP\BULLGUARD\BULLDOWNLOAD.exe
without rebooting it in safe mode?(i mean deleting it in normal mode)
0
I doubt it, not with it running as a process. You will probably get a 'file is in use error'.
You can try to end task on it and delete it but you may get the same error.
If you can, boot into DOS and delete it.
0
Thanks for all the advice given, I could delete it without getting the 'file is in use error', the BullGuard menu isn't on my desktop any more, so i guess it's finally removed.
I would appreciate more info on booting into DOS to delete it.
Thanks again for your time
0  |
 A virus?
|
Gigabyte GA71-XE Slow BIO...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
