SpyBot Question...

[antares]

This is my first time using this program, but I have a question that bugs me.

What do I get rid of?

This question means that what kinds of files should be deleted. Here is my list of what I got when I ran it:

Advertisiting.com
Avenue A, Inc.
Bargain Buddy
BDE Projector
BFast
Comet Cursors
Common Hijacker
CommonName
Cydoor
DoubleClick
eAcceleration
eGroup
ExCyberSearch
eZula HotText
FastClick
FlashTrack
Gator
HitBox
IGetNet
Internet Explorer (Data source object exploit)
MarketScore
MediaPlex
MS Media Player
n-Case
New.net
SaveNow
Sidestep
VX2/? (VX2/a-VX2/e)
WurldMedia
Common Dialogs

and the rest is Logs, MS Office 9.0, and Windows Explorer.

This all comes down to "169 problems found", which I think is a lot. Also, around half of them are Registry files.

Read over the list and tell me what I should do.

 

[ezymony]

I let it remove everything that spybot puts a checkmark in you have a lot of spyware on your machine.

 

[Davey7549]

antares
Welcome to TSG!
One caution here though... only the items in Red at this point should be considered for removal.

Dave

 

[antares]

Thanks. I will start removing it right away.
Also, thanks davey, for your welcoming. I glad to be here.

 

[Rollin' Rog]

Wow, that's a big load even for Spybot.

I would recommend removing New.net independently first, using Add/Remove programs and then rebooting. This is the most dangerous. You can do the same with SaveNow

It might be a good idea, after that to run Spybot in Safe Mode and have it do its thing from there to minimize the possiblity of conflicts with programs in memory. Be sure to reboot afterwards.

 

[JohnWill]

I have never seen such a list on one machine! How did you manage to accumulate such a load of spyware???

 

[antares]

I dont know for sure. It's probably the many programs that I have downloaded and install, during my computer's lifetime. Good thing that I them removed

Hopefully, I will do I weekly check-up to make sure there is no spyware in my computer.

 

[TonyKlein]

Given the number of dodgy items you've accumulated, I strongly suspect there may be more.

Would you please do this:

After running SpyBot, and having it remove all it found, go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and show us its contents.

 

[antares]

Here it is:

Logfile of HijackThis v1.90.0
Scan saved at 11:41:25 AM, on 1/11/2003
Platform: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://tribesaa.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - E:\WINDOWS\System\BHO001.DLL
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [BackgroundSwitcher] E:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] E:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [QD FastAndSafe]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2wSysTray] E:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinStart001.EXE] E:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Allow Site's Pop-&ups - file://E:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://E:\Program Files\PopNot\blocksite.script
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://65.83.242.101/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} - http://fr4-download.nocreditcard.com/download/Object/ieaccess2XP.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31FD415A-1103-4329-B323-2DE693146C4E} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22b78f35f87eaf482a04/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {69A4F9FF-E915-11D5-A9F1-009099104002} (XDialer Class) - http://www.pctlca.com/XDialer2.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37577.3884143519
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} (MaxisPublishX Control) - http://thesims.ea.com/us/teleport/MaxisPublishX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {FA53CFF8-B253-49DE-9B13-3A6129830AF0} - http://130.94.70.13/player/allcast082902_17.cab
O18 - Protocol: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}

 

[TonyKlein]

Thank you.

I see one baddie in startup, and a load of very dodgy ActiveX objects.

Also an unknown Browser plugin that I'd like to have a look at. It may be harmless, but it could also be an all new baddie.
Would you be so kind as to send me a copy of E:\WINDOWS\System\BHO001.DLL as an attachment, please?
I'll PM you with my e-mail addie.

Now do this:

Run Hijjack This and check ALL of the following items. Subsequently shut down ALL Internet Explorer Windows, and have HT fix all selected.

Reboot when you're done, and find and delete E:\WINDOWS\System\WinStart001.EXE

We'll decide what to do with the browser plugin as soon as we know whether it's OK or not.

Here are the items to be fixed:

O4 - HKLM\..\Run: [WinStart001.EXE] E:\WINDOWS\System\WinStart001.EXE -b
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} - http://fr4-download.nocreditcard.co...ieaccess2XP.cab
O16 - DPF: {31FD415A-1103-4329-B323-2DE693146C4E} (InstallHelper Class) - http://survey.prod.there.com/qualsu...stallHelper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} - http://wcs00180.egain.net/wcsapp/we...g/ie/SecMgr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22b78f35f87eaf...ip/RdxIE601.cab
O16 - DPF: {69A4F9FF-E915-11D5-A9F1-009099104002} (XDialer Class) - http://www.pctlca.com/XDialer2.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WON...cherControl.cab
O16 - DPF: {FA53CFF8-B253-49DE-9B13-3A6129830AF0} - http://130.94.70.13/player/allcast082902_17.cab


Cheers,

 

[TonyKlein]

By the way, about this "Natural Language Navigation" browser plugin, is it perhaps this one?

http://www.keywordsearchphrases.com/defaultkeywords.htm

I think it probably is.

In that case it's a new version of IGN Keywords: http://www.doxdesk.com/parasite/IGetNet.html

Let Hijack This fix the following item:

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - E:\WINDOWS\System\BHO001.DLL

 

[JohnWill]

Almost seems a re-install would have been easier than cleaning all this stuff out!

 

[Davey7549]

John
lol
How accurate your statement of reinstall is if not for the reupdating and all. My stepdaughter had 167 items Spybot found and it took me several hours to untangle the mess and get Her system to snuff.

Dave