1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

webrebates0, 1, 2

Discussion in 'Virus & Other Malware Removal' started by synix09, Sep 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. synix09

    synix09 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    39
    Okay. I have the same problem. But I have a whole lot of other problems too that just popped out of no where. I have that blue Cool Search thing, Search the Web, and a few more. I ran Ad-aware and Search and Destroy Spybot and a few other stuff that I got from Major Geeks webpage but none of that worked. I looked in my Program Files folder and found a whole lot of suspicious looking folders. Should I delete those? I looked at the date they were created and it was only a few days ago. I know for a fact I didn't install those. They only have .exe files in the folders and sometimes even nothing, but there are probably hidden files in there. Anyway, here's my log:

    Logfile of HijackThis v1.98.2
    Scan saved at 3:03:59 AM, on 9/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Christoph\My Documents\Programs and Applications\Removal Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.odimufoijberpm.biz/sW4g2qH2FT9fPxZOC2yaW3KXJOiq1b1R_xCElv3oUFRI59lKsICiVoE9iQv_nlQA.asp
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {26702717-1A3C-9464-5065-156FF6AEF594} - C:\PROGRA~1\MOREID~1\DELETE THAT.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\TESTST~1\up cdrom loud.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [warn up cake inter] C:\Documents and Settings\All Users\Application Data\RegsPileWarnUp\Poptrans.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {CD5DB70E-9969-45A5-9E45-5BAC1B2154F8} - http://www.im.tv/bbstart.ocx

    Thanks for the help. Sorry for the trouble.
     
  2. synix09

    synix09 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    39
    I updated Spybot, Ad-Aware and ran them, cleared some out, but my labtop is locking up a lot. And I still have that MySearchNow thing. Here's a new log:

    Logfile of HijackThis v1.98.2
    Scan saved at 1:14:06 AM, on 9/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\FarStone\VirtualDrive\vdtask.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Documents and Settings\Christoph\My Documents\Programs and Applications\Removal Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=144446
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hvlmmsobcybcnvhwoobzpin....XJOiq1b1R_xCElv3oUFStyh40MgdQnIE9iQv_nlQA.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {26702717-1A3C-9464-5065-156FF6AEF594} - C:\PROGRA~1\MOREID~1\DELETE THAT.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\TESTST~1\up cdrom loud.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {CD5DB70E-9969-45A5-9E45-5BAC1B2154F8} - http://www.im.tv/bbstart.ocx
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Messenger Plus! 3 is the source most likely, of your Lop problem, the full install of MSGR +3 contains that....
    Uninstall it.

    Also, look in Add/Remove (Change or Remove) Programs, for Web_Rebates or similar uninstall if found.
    May not be there.
    Fix the items below with Hijackthis: Checks in the boxes at the left, when all in my list are checked, click "Fix Checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=144446

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hvlmmsobcybcnvhwoobzpin....IE9iQv_nlQA.htm

    O2 - BHO: (no name) - {26702717-1A3C-9464-5065-156FF6AEF594} - C:\PROGRA~1\MOREID~1\DELETE THAT.exe ---> IF you know what this is, keep it...

    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

    O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\TESTST~1\up cdrom loud.exe---????? odd, keep if you did it.

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm\


    Immediately run CWShredder.exe and hit the "FIX" button and let it search for and remove files... the newest version of CWS is v 1.59 make sure you have that, or use the "update" feature of CWShredder to make sure you do.


    Reboot.

    Make sure you follow these directions:

    NEXT: Open
    Windows Explorer> find and delete these FILES at end of lines:

    C:\PROGRA~1\MOREID~1\DELETE THAT.exe
    that one above will be in Program Files, folder starts with MOREID....find the right folder, should be first one, and then delete DELETE THAT.EXE


    C:\PROGRA~1\TESTST~1\up cdrom loud.exe--if you did not create or load this yourself, delete it.

    C:\Program Files\Web_Rebates\WebRebates0.
    C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    Some of those files may not be found.

    Start AdAware, check for updates for it, then scan using these settings:


    Run SpyBot again, have it look for updates.

    Reboot, post a new HJT log.
     
  4. synix09

    synix09 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    39
    Here's my log now. I'm planning to format my computer but I'm having trouble doing that. Usually on 98, I just go into dos and type format c: but I can't do that on XP. ??

    Logfile of HijackThis v1.98.2
    Scan saved at 12:56:00 PM, on 9/19/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\FarStone\VirtualDrive\vdtask.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
    O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Log looks good! Don't see why you want to format the drive, but it's yours...good luck! If you do format and reinstall you will be very vulnerable as far as intruders when you connect to the Internet> so be wise and install a firewall, antivirus program, antispyware apps, etc before even connecting to any modem. You can do all that by burning some downloads, not installed programs! to disk and installing them that way. Even Windows Updates can be...and SP2 is available on CD for no charge from Microsoft, (a friend may already have one).

    Normally, this is the point we advise you to disable System Restore to flush all the infected Restore Points- which is the only way to clean any files located in Restore area...

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    then, you can turn Restore back on and make a new Restore Point. Since you are going to format it's optional, what I wonder about is whether you may need to uninstall SP2 or not.

    You should read up on the methods for XP to repair install, or clean install...it depends on the type of Windows CD you have, exactly what you do. The CD is bootable, you may however have to change the boot order to the CD drive as the first priority boot drive in your BIOS. Depending on what brand BIOS you have, a key or series of keys is pressed just as the memory count occurs at startup. The screen may tell you what to hit. Under one of the categories you will see Boot devices and their position, set the CD drive as first to boot from the CD.

    If your computer is a branded like Compaq, Sony, HP etc, there may be choices as to what data is saved or whether you do a compete format. Best you go to the support page for your model number if you are using the OEM Restore type CD sets.
    Next time, get things cleaned up as far as viruses, malware etc before you try Service Pack 2. Microsoft advises that you do the cleaning up first.
     
  6. synix09

    synix09 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    39
    Cool, thanks alot!!
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    You're very welcome.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274986

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice