1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Bonzi Buddy and Hi wire

Discussion in 'Virus & Other Malware Removal' started by thyatt169, Sep 4, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. thyatt169

    thyatt169 Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    9
    Hi, I'm new here and having a lot of problems. I have a hp pavillion 7855 running ME. Strange things started happening with my computer. Ran Nortons virus check and they showed nothing ran adware and showed 2 different things. Hi-wire and Bonzi Buddy. Have no Idea how these got on my computer but there their. What do I do to get ride of them? Ran spyware and it shows that I have adware on my regestry. how do I get ride of this and the other problems that I'm having. Also is there something better than nortons for virus, trogens, worms or anything else. What Items should I be running to prevent things like this from happening again. Any help would be greatly appreciated. Thanks in advance, Tom :( :confused:
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi Tom You have the basic right idea- you generally use SpyBot Search and Destroy and AdAware to get rid of ad-based junk that has either been installed by clicking on ads, bundled with some other free gift programs...Like Bonzi Buddy. Bonzi Buddy has a small trick> you must click on the tray icon and say "goodbye" to that purple ape before running the uninstall or it stays, partly, in the computer. HiWire networks may still show in Add/Remove Programs, but I am not sure it will work, since you have used spyware removers already...there is help for that, though. If you have not let SpyBot or AdAware actually remove anything, try to uninstall Bonzi and Hiwire networks from Add/Remove...remember to say goodby to Bonzi by right click (I am fairly sure it was that) on his tray icon lower right...before you uninstall Bonzi Buddy and the other related items to it.
    There are some other uninstallers you should look for in Add/Remove----NewdotNet, WebHancer--- do those if they appear.

    NEXT:

    First> get Hijackthis.exe below

    You MUST make a new folder to hold it, I usually just make one like this: C:\HJT. The desktop will be OK only IF you right click an empty spot and create a New Folder>name this folder HJT and have the download saved there.

    http://tools.radiosplace.com/HijackThis.exe---> use this version, it is a direct download, the file download box will pop up so be ready with that HJT folder....

    I would like to see an HJT log before you do anything else!
    Stop here and post that.

    Directions for posting the log can be found here:

    http://mjc1.com/mirror/hjt/

    Please do NOT use Hijackthis yourself to fix anything...someone here will advise what should be removed...

    _________________________

    AdAware or SpyBot may completely remove it I am not sure, but we can try.
    Do you have the latest version of AAW (SE Personal edition) and SpyBot (v.1.3) >>> and, have you updated each program?
    AdAware> if you do have the older v.6.0 you can just download the newer one here:

    http://www.lavasoftusa.com/

    [You must run the web updates before you scan the system...check this below for some settings also: the AdAware info is for the NEWER edition> advise you get that, since the older 6.0 will be retired and no longer updated soon.]

    Then please post a new Hijackthis log.
     
  3. thyatt169

    thyatt169 Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    9
    Hi Byteman,
    Sorry It took so to get back to you. I did the hjt thing and this is what it said--

    Logfile of HijackThis v1.98.2
    Scan saved at 10:13:24 PM, on 9/4/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sprint.earthlink.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
    O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
    O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Tour] C:\WINDOWS\wincool.exe /30m
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab



    So now what do I do. Sorry but I'm a newby at this and completely lost at this time. Thanks for your help, Thyatt169 :eek:
     
  4. bosshogg151

    bosshogg151

    Joined:
    Jan 17, 2004
    Messages:
    553
    Did Spybot dig it up and kill it for you?
     
  5. thyatt169

    thyatt169 Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    9
    Never heard of spybot. Is it freeware?
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi Tom

    Apparently the Bonzi Buddy amd Hiwire has already been removed!

    You have some things to fix:

    Uninstall SpywareBegone--- it is not your friend.
    Rather, it is listed as a knock-off or rogue spyware removal tool, it does aggresive advertising and has false positives as incentive for purchasing. Sorry if you spent money on it. Normally, all the ad-spy-malware related problems can be fixed for free using a few free programs. SpyBot and AdAware are only two of those. However> you have to know the difference between good and bad free programs, as there are a great number of not so good ones being pushed on the Internet. It's hard to tell the difference, so don't hurt yourself banging your head on the keyboard...
    Here is one place to look up what you may see advertised:


    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    Next: You do not want this as your start or home page:

    search.hpwis.com= Lycos sidesearch.

    Run Hijackthis.exe again, you must have ALL browser windows closed, not just minimized, nothing open but HJT Now put checks next to the items, click "Fix checked"
    You probably will not see all the items if you uninstall SpywareBegone, no problem.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/

    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    ________________________

    If you see a video each time the computer starts up...
    this is a feature of ME that you can turn off, usually, after you watch it once...there may be a very small checkbox on your lower left of screen to uncheck this, unless you would like to watch it some more. If this Tour is not running, fix the item with HJThis.

    O4 - HKLM\..\Run: [Tour] C:\WINDOWS\wincool.exe /30m

    Reboot your computer.

    I would like you to use AdAware and Spybot Search and Destroy. Both are free and two of the best friends you will ever have. I gave you the directions for using them, here are the download sites:

    AdAware SE personal edition> if you have this, fine, but you have to use the update feature "Search for Updates" while you are connected to the Internet, follow the directions I posted.
    SpyBot is the same> even though you are just now installing it, there will be some updates and you must get them, same "Search for Updates" feature is built into SS&D, just do them before you run the program to remove anything.
    When you run either: it is safe to let them remove what they find, as the directions tell you.
    Hope this helps- just take your time with it, ask any questions you need to.

    You do not show any trojan worms or other serious malware running> so you should relax. The bits and pieces of ad-related junk will be removed by AAW or SpyBot and manual removal with HJThis.
    If you have the older 6.0 version of AdAware> better to download the newer SE personal edition, as the 6.0 one will be retired soon.

    Here for AdAware SE:
    http://www.majorgeeks.com/download506.html
    SpyBot:

    http://www.majorgeeks.com/download2471.html
     
  7. thyatt169

    thyatt169 Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    9
    How do I close all browser windows????
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    When you start the computer and are just at the desktop, offline> no browser pages open means you do not connect to your ISP, or have any email pages open, no Internet Explorer going, no dialup connection connected.
    You are just going to start Hijackthis and fix the items as the directions say.
    If you have an Internet page open, (browser page means the same), you close it by using the X at top right, just the same as closing a window...
     
  9. thyatt169

    thyatt169 Thread Starter

    Joined:
    Sep 4, 2004
    Messages:
    9
    Ok since all of this I'm now missing my cdrom drives and having problems installing drivers for lexmark 6150 all in one printer, I get the following warning message when it tries to install "there is no valid INF file for this operating system. Unable to continue operaation". . what do I do now. Thanks in advance, Tom :eek:
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270155

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice