webrebates0, 1, 2

[synix09]

Okay. I have the same problem. But I have a whole lot of other problems too that just popped out of no where. I have that blue Cool Search thing, Search the Web, and a few more. I ran Ad-aware and Search and Destroy Spybot and a few other stuff that I got from Major Geeks webpage but none of that worked. I looked in my Program Files folder and found a whole lot of suspicious looking folders. Should I delete those? I looked at the date they were created and it was only a few days ago. I know for a fact I didn't install those. They only have .exe files in the folders and sometimes even nothing, but there are probably hidden files in there. Anyway, here's my log:

Logfile of HijackThis v1.98.2
Scan saved at 3:03:59 AM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Christoph\My Documents\Programs and Applications\Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.odimufoijberpm.biz/sW4g2qH2FT9fPxZOC2yaW3KXJOiq1b1R_xCElv3oUFRI59lKsICiVoE9iQv_nlQA.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26702717-1A3C-9464-5065-156FF6AEF594} - C:\PROGRA~1\MOREID~1\DELETE THAT.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\TESTST~1\up cdrom loud.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [warn up cake inter] C:\Documents and Settings\All Users\Application Data\RegsPileWarnUp\Poptrans.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {CD5DB70E-9969-45A5-9E45-5BAC1B2154F8} - http://www.im.tv/bbstart.ocx

Thanks for the help. Sorry for the trouble.

 

[synix09]

I updated Spybot, Ad-Aware and ran them, cleared some out, but my labtop is locking up a lot. And I still have that MySearchNow thing. Here's a new log:

Logfile of HijackThis v1.98.2
Scan saved at 1:14:06 AM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Christoph\My Documents\Programs and Applications\Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=144446
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hvlmmsobcybcnvhwoobzpin....XJOiq1b1R_xCElv3oUFStyh40MgdQnIE9iQv_nlQA.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26702717-1A3C-9464-5065-156FF6AEF594} - C:\PROGRA~1\MOREID~1\DELETE THAT.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\TESTST~1\up cdrom loud.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {CD5DB70E-9969-45A5-9E45-5BAC1B2154F8} - http://www.im.tv/bbstart.ocx

 

[Byteman]

Hi, Messenger Plus! 3 is the source most likely, of your Lop problem, the full install of MSGR +3 contains that....
Uninstall it.

Also, look in Add/Remove (Change or Remove) Programs, for Web_Rebates or similar uninstall if found.
May not be there.
Fix the items below with Hijackthis: Checks in the boxes at the left, when all in my list are checked, click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=144446

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hvlmmsobcybcnvhwoobzpin....IE9iQv_nlQA.htm

O2 - BHO: (no name) - {26702717-1A3C-9464-5065-156FF6AEF594} - C:\PROGRA~1\MOREID~1\DELETE THAT.exe ---> IF you know what this is, keep it...

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\TESTST~1\up cdrom loud.exe---????? odd, keep if you did it.

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm\


Immediately run CWShredder.exe and hit the "FIX" button and let it search for and remove files... the newest version of CWS is v 1.59 make sure you have that, or use the "update" feature of CWShredder to make sure you do.


Reboot.

Make sure you follow these directions:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\administrator\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

NEXT: Open
Windows Explorer> find and delete these FILES at end of lines:

C:\PROGRA~1\MOREID~1\DELETE THAT.exe
that one above will be in Program Files, folder starts with MOREID....find the right folder, should be first one, and then delete DELETE THAT.EXE


C:\PROGRA~1\TESTST~1\up cdrom loud.exe--if you did not create or load this yourself, delete it.

C:\Program Files\Web_Rebates\WebRebates0.
C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

Some of those files may not be found.

Start AdAware, check for updates for it, then scan using these settings:

Ad-Aware FULL SCAN:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Before restart, Empty Recycle Bin.

Run SpyBot again, have it look for updates.

Reboot, post a new HJT log.

 

[synix09]

Here's my log now. I'm planning to format my computer but I'm having trouble doing that. Usually on 98, I just go into dos and type format c: but I can't do that on XP. ??

Logfile of HijackThis v1.98.2
Scan saved at 12:56:00 PM, on 9/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

 

[Byteman]

Hi, Log looks good! Don't see why you want to format the drive, but it's yours...good luck! If you do format and reinstall you will be very vulnerable as far as intruders when you connect to the Internet> so be wise and install a firewall, antivirus program, antispyware apps, etc before even connecting to any modem. You can do all that by burning some downloads, not installed programs! to disk and installing them that way. Even Windows Updates can be...and SP2 is available on CD for no charge from Microsoft, (a friend may already have one).

Normally, this is the point we advise you to disable System Restore to flush all the infected Restore Points- which is the only way to clean any files located in Restore area...

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

then, you can turn Restore back on and make a new Restore Point. Since you are going to format it's optional, what I wonder about is whether you may need to uninstall SP2 or not.

You should read up on the methods for XP to repair install, or clean install...it depends on the type of Windows CD you have, exactly what you do. The CD is bootable, you may however have to change the boot order to the CD drive as the first priority boot drive in your BIOS. Depending on what brand BIOS you have, a key or series of keys is pressed just as the memory count occurs at startup. The screen may tell you what to hit. Under one of the categories you will see Boot devices and their position, set the CD drive as first to boot from the CD.

If your computer is a branded like Compaq, Sony, HP etc, there may be choices as to what data is saved or whether you do a compete format. Best you go to the support page for your model number if you are using the OEM Restore type CD sets.
Next time, get things cleaned up as far as viruses, malware etc before you try Service Pack 2. Microsoft advises that you do the cleaning up first.

 

[synix09]

Cool, thanks alot!!

 

[Byteman]

You're very welcome.