1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Adware that just doesn't go away!

Discussion in 'Virus & Other Malware Removal' started by clueless99, Feb 7, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. clueless99

    clueless99 Thread Starter

    Joined:
    Feb 7, 2003
    Messages:
    121
    Whenever I right-click highlight a text selection than left-click it, the drop down menu would have a "Power Search" option. How do I get rid of this? Also, everytime I do a Spybot search, things from IGetNet always show up. How do you make this go away permanently?
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Welcome clueless. If Spybot cannot get rid of Igetnet (have you tried running it in Safe Mode?), see the link below and check especially for entries in the Hosts file. This can be opened in Notepad.

    http://www.doxdesk.com/parasite/IGetNet.html

    Also, get the HijackThis application from the site below. Click the 'scan' tab and then copy/paste the results to a reply.


    http://www.lurkhere.com/~nicefiles/
     
  3. clueless99

    clueless99 Thread Starter

    Joined:
    Feb 7, 2003
    Messages:
    121
    Logfile of HijackThis v1.91.2
    Scan saved at 7:39:27 PM, on 2/7/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://login.passport.net/uilogin.srf?id=2
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.gateway.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by PeoplePC
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.ieplugin.com/q.cgi?q=%s
    N3 - Netscape 7: user_pref("browser.startup.homepage", "www.hotmail.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rgzca168.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rgzca168.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP40\bin\BandObject.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
    O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP40\hta\station.sbrt
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp2.81\Winampa.exe"
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1265/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06a52ec1ba9945aafd05/netzip/RdxIE6.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37589.9566550926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

    I couldn't find some of the values the 1st link told me to delete. Those that I could find, was deleted, but I still have all the problems.

    EDIT: No, I haven't run Safe Mode yet. Do you think I still need to? If so, how can I run it and what should I do?

    <<< Complete computer illiterate
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It might be a good idea to run Spybot in Safe Mode, as I do see quite a few entries for IEplugin there, and I'm not sure how much might be left on the system. Here is a link with more info on it:

    http://www.doxdesk.com/parasite/IEPlugin.html

    Additionally I would use HijackThis to remove the following entries:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.ieplugin.com/q.cgi?q=%s

    {optional, this is what puts the 'branding' on your browser} R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by PeoplePC

    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP40\bin\BandObject.dll

    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL

    O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)

    {this could be the main culprit} O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu

    Frankly, I am not sure what those in this next group are associated with, but deleting them won't cause any harm:

    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/ brix6ie.cab

    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06a52ec1ba9945...tzip/ RdxIE6.cab

    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

    >>> this one is for Huntbar and should definitely be deleted:

    O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

    >>> If you still have problems after following this procedure, go to Internet Options > Programs, and click "Reset Web Settings". This will restore certain defaults. (It may put back your browser branding if you removed that)
     
  5. mViOkPe

    mViOkPe

    Joined:
    Oct 15, 2002
    Messages:
    101
    Be sure that you are running the current SSD v1.1r4 with the latest sigs. IGetNet was just recently updated thru the internal updater. BTW You should not need to run in 'safe mode'. When SSD finds a file held in use, it pops up a dialog asking you to start SSD on the next startup. Click OK/yes and reboot. SSD will then start ahead of the sys and clean before anything else is loaded(better than 'safe mode').

    BTW I can tell by your lists that you are not using current SSD. MSIETS would not be there if you were.
     
  6. clueless99

    clueless99 Thread Starter

    Joined:
    Feb 7, 2003
    Messages:
    121
    Thank you sooo much you guys! It's all fixed. No more annoying PowerSearch, IgetNet, or searchs redirecting to its crummy site. Gawd, that bugged the hack out of me.

    And thanks for reminding me to update Spybot. It's up-to-date now.
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    :cool:

    [tsg=yourewelcome][/tsg]
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/117576

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice