TechSpot

Adware overload on my computer -- I'm new, please help

By tinrobert
Jan 15, 2005
Topic Status:
Not open for further replies.
  1. I got hit by adware popups just after Christmas. I used Spyware, Adaware and Spy Doctor but the problem persists. Norton Antivirus has found 10 "low-risk" problems but there is no way to erase them in that program. I checked in Windows Explorer and all directories were started on Dec 29! and are not there on my laptop.

    The files are (according to Norton):

    C:/Program Files/Bulls Eye Network/bin/adv.exe
    within windows\System 32\mac80ex.idf

    C:/Program Files/Bulls Eye Network/bin/adx.exe
    within windows\System 32\mac80ex.idf

    C:/Program Files/Bulls Eye Network/bin/bargains.exe
    within windows\System 32\mac80ex.idf

    Windows/System 32/javexlum.vxd
    within windows\System 32\netut80ex.vxd

    Windows/System 32/msexreg.exe
    within windows\System 32\netut80ex.vxd

    Windows/System 32/mqexdlm.srg
    within windows\System 32\netut80ex.vxd

    Windows/System 32/msbe.dll
    within windows\System 32\mac80ex.idf

    Windows/System 32/exdl.exe
    within windows\System 32\netut80ex.vxd

    Windows/System 32/exul.exe
    within windows\System 32\netut80ex.vxd

    \Windows\wupdsnff.exe


    I sent these to Spy Doctor after a malware scan but they haven't yet figured out the problem, only to tell me it is a Bulls Eye

    Questions:

    As Norton has identified them, how can I get the program to delete or quarantine them (I can only skip them in the next scan according to the message)?
    Are there any programs that will remove them?
    Can I delete them manually (I'm not too skilled about that except to right click and delete)?

    The adware eliminated my capability to do a System Restore and stopped the block capability on Google. I've been using Mozilla to avoid the pop-ups on IE.

    Thank you

    Tinrobert
     
  2. olefarte

    olefarte TechSpot Ambassador Posts: 1,427

    Welcome to TechSpot.

    Probably the best thing to do, is follow the instructions, as layed out by Realblackstuff, in this thread. Pay special attention to the CWShredder part, hopefully that might get rid of it.
     
  3. tinrobert

    tinrobert TS Rookie Topic Starter

    Thank you for your prompt reply

    Trying to reply but get this message. Removed allURLs but still can't get through.

    Your Post contains one or more URLs, please remove them before submitting your message again.

    Help
     
  4. tinrobert

    tinrobert TS Rookie Topic Starter

    'Adware overload on my computer -- I'm new, please hel

    Managed to find that real (dot) com was in this message (I replaced the period with the word dot) -- I told you I'm new at this.

    Anyway,

    Followed instructions. Ran Ad- Aware with VX plug-in -- nothing found
    Ran CW shredder -- nothing found
    Ran Ad-Aware with UNcheck "Scan for negligible risk entries", select "Perform full system scan" -- nothing found

    Ran HijackThis -- got the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Real (dot) com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    What do I do now? I'm lost!
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Look here How to post Hijackthis Log-file

    You
    Based on your HJT-posting, run HJT in safe mode and let it 'fix':

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

    And next time, READ THE INSTRUCTIONS AND FOLLOW THEM
     
  6. tinrobert

    tinrobert TS Rookie Topic Starter

    Thank you for the prompt feedback.

    I removed the lines from the HJT. Attached is a new HJT scan.

    Now, the directories U had this Bullseye and caskback are still in my computer after finding them in Windows Explorer. These were identified by Norton Utilities as "low-risk" and so they were not removed by Norton.

    Can they be removed manually by rightclicking?
    Any other suggestions, as my computer is booting and loading very slow?

    Below is the scan from Norton:

    C:/Program Files/BullsEye Network/bin/adv.exe
    within windows\System 32\mac80ex.idf

    C:/Program Files/BullsEye Network/bin/adx.exe
    within windows\System 32\mac80ex.idf

    C:/Program Files/Bulls Eye Network/bin/bargains.exe
    within windows\System 32\mac80ex.idf

    Windows/System 32/javexlum.vxd
    within windows\System 32\netut80ex.vxd

    Windows/System 32/msexreg.exe
    within windows\System 32\netut80ex.vxd

    Windows/System 32/mqexdlm.srg
    within windows\System 32\netut80ex.vxd

    Windows/System 32/msbe.dll
    within windows\System 32\mac80ex.idf

    Windows/System 32/exdl.exe
    within windows\System 32\netut80ex.vxd

    Windows/System 32/exul.exe
    within windows\System 32\netut80ex.vxd

    Each of these directories is plainly visible in System 32 in Windows
    explorer and all were created on Dec 29.

    Thank you very much for your help. (Did I load the HJT right this time?

    Tinrobert
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Your HJT-log looks clean.

    BUT, you are "infected" with BargainBuddy.

    What you could do first, is boot into safe mode.
    Press Ctrl/Alt/Del and in Taskmanager try to STOP whatever process (all those .exe files) from your list is in there.

    Delete those .vxd and .idf files if you can
    Next, delete the BullsEye Network directory with EVERY file and subdirectory in it.

    More info can be found here: (scroll down to Manual Removal)
    http://www.pestpatrol.com/PestInfo/B/BargainBuddy.asp
    or here:
    http://sarc.com/avcenter/venc/data/adware.bargainbuddy.html

    See how you get on with this.
     
  8. tinrobert

    tinrobert TS Rookie Topic Starter

    Thank you for your help. Here's what happened:
    I erased the .vxd and .ifd files in Search and in Windows Explorer.
    Spybot removed BargainBuddy

    Reboot took a long time. There are 45 processes running at one time.
    Word had a problem with normal.dot

    Then I ran another Norton Antivirus scan. Found that the following "low-risk" files originally in the .vxd and .idf directories I erased, which are:

    Windows/System 32/exdl.exe
    Windows/System 32/msexreg.exe
    Windows/System 32/mqexdlm.srg
    Windows/System 32/javexlum.vxd
    Windows/System 32/exul.exe

    are now in c:\system volume\information_restore{8513C62E-889D-4878-AFC3-816F635DOFOE}\RP4\A0003133.VXD

    (can't decifer my handwriting if it is systemvolume or system volume - sorry)

    Also, Norton found \windows\wrpdsnff.exe

    Also, Pest Patrol found the following (I didn't buy it so I couldn't remove it):
    c:\documents and settings\(my name)\application data\sskewrd.dll

    I can't find these files in a Search. Can't locate system volume and can't get into documents and settings. Spybot, Spyware Doctor, and Ad-Aware don't find anything.

    Is it hopeless?

    Tinrobert
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Not yet. Switch off System Restore. Then delete all your restore points.

    Follow the instructions in my big post to show ALL files, incl. system-and hidden-files.
    Boot into safe mode, in Task Manager try to STOP the wrpdsnff.exe process
    Then run HJT to "fix" wrpdsnff.exe and sskewrd.dll if they show up.
    Then delete them.

    You may have to deregister that DLL file first.
    In a Command-prompt window type in:
    cd \windows\System32 and press Enter
    regsvr32 /u c:\documents and settings\(my name)\application data\sskewrd.dll
    and press enter
    Then delete it.
     
  10. tinrobert

    tinrobert TS Rookie Topic Starter

    Adware overload on my computer -- I'm new

    realblackstuff

    Thank your for your efforts, but nothing worked.

    Nothing was found in regsvr32 u
    Task manager in safe mode did not show the wrpdsnff.exe
    Ran a HJT and did not find wrpdsnff.exe and sskewrd.dll

    I've attached the HJT scan, maybe you can see something unusual.

    Thanks again,

    Tinrobert
     
  11. jfoofoo

    jfoofoo TS Rookie

    Here are couple things you can try. First download Microsoft® Windows AntiSpyware (Beta) from Microsoft's website and try see if that will remove all those for you. If not. Go in safe mode and delete them out. Do make a restore point just incase if you delete the wrong thing. Hope that helps
     
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    What HJT-scan?
    And DON'T install that MS-beta crap, it is already being targeted by virus-writers and script-kiddies.
     
  13. tinrobert

    tinrobert TS Rookie Topic Starter

    Adware overload on my computer -- I'm new

    jfoofoo,

    Thank you for your post. I downloaded Microsoft® Windows AntiSpyware (Beta) and guess what? It worked :giddy: Seems to have gotten rid of files that Norton Antivirus picked up but couldn't delete.

    realblackstuff

    OK, took your advise and deleted Microsoft® Windows AntiSpyware (Beta) before any new damage happened.

    Question,

    Boot up and program loading take a very lnog time. I haave 46 processes running at one time. Is that the problem? What about the antivirus and antispy software immunization -- is that the problem? Went through disk cleanup and defrag. Any other suggestions?

    Cheers
     
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    tinrobert,
    you did not attach your HJT-log in your previous post.
    Without that I have very little to go on.
    Make a fresh one and post it as attachment.
     
  15. tinrobert

    tinrobert TS Rookie Topic Starter

    Adware overload on my computer -- I'm new

    realblackstuff

    OK ran another scan. Problem I'm finding now is I have 45 processes running and it takes several minutes to boot up or to start Mozilla and other files. Is that the problem? What about the antivirus and antispy software immunization programs I'm running (Norton Antivirus, Spy Doctor, Pestpatrol) -- is that the problem? Went through disk cleanup and defrag. Any other suggestions?

    Thank you realblackstuff
     
  16. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    There is nothing wrong with your HJT-log.

    My suggestion would be to run HJT and have it 'fix':
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    This indexing uses a fair bit of resources.

    Also, please fill in your "User Profile", top left on this page, so we can see what hardware you have.

    I think you have a low-spec PC, something like an early Dell Dimension, with not enough memoryand too much crap installed on that PC.
    Do you really need all those programs to startup as soon as you switch on?
    I'm referring to that list of all the O4 Run/Startup programs. This is utter nonsense.
     
  17. tinrobert

    tinrobert TS Rookie Topic Starter

    realblackstuff,

    Thanks again for your prompt reply.

    Looked at the O4 Run/Start programs and don't know why they are there. Didn't do it personally or on purpose. Which other O4's can I remove?

    I do have a Dell Dimenstion, which I purchased about 2 years ago:

    Dimension® 4300 Series,Pentium® 4 Processor at 1.7GHz
    Memory: FREE Upgrade! 256MB SDRAM
    Keyboard: Dell® Enhanced Quiet Key Keyboard
    Monitor: 17 in (15.9 in viewable,.27dp) E771 Monitor
    Video Card: 64MB NVIDIA GeForce2 MX Graphics Card with TV-Out
    Hard Drive: 40GB Ultra ATA/100 7200RPM Hard Drive
    Floppy Drive: 3.5 in Floppy Drive
    Operating System: Microsoft® Windows® XP Home Edition¹²
    Mouse: MS IntelliMouse®
    Network Card: 10/100 PCI Fast Ethernet NIC
    Modem: 56K PCI Data Fax Modem for Windows
    DVD ROM or CD-ROM Drive: 16x/10x/40x CD-RW Drive with Roxio's Easy CD Creator®
    Sound Card: Integrated Audio
    Speakers: Harman Kardon Speakers
    Bundled Software: Microsoft® Works Suite 2002 with Money 2002 Standard
    Norton Antivirus®: Norton Antivirus® 2002, 90-day introductory offer
    Digital Music: Dell Jukebox powered by MusicMatch 6.0 for XP
    Digital Imaging Software: Image Expert®2000 for XP,Dell Edition

    Thanks again,

    tinrobert
     
  18. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    C:\Program Files\Outlook Express\msimn.exe
    Stop using it. Install Thunderbird from www.mozilla.org
    It will copy all of your OE-messages into the program. Works similar, but a lot safer!
    Then UNinstall OE.

    UNinstall your Googlebar, it is outdated. If you really want it, install the latest version.

    Go to http://startup.iamnotageek.com/search.php
    and type in/copy-paste the following programs (just programname.exe) in the Searchbox, then click 'GO':

    C:\Program Files\Microsoft Works\WkDetect.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Messenger\msmsgs.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

    You will find that they all have a Rating of N=not needed or U=user decides.
    They all use up resources for nothing. You can STOP them all by either changing a setting,
    or block them, using MSConfig. That website tells you HOW in a number of cases.

    To be uninstalled/replaced:
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    'Fix' these with Hijackthis if you never use them:
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    After this you should have a Lean Mean Bloatreduced Machine
     
  19. tinrobert

    tinrobert TS Rookie Topic Starter

    Adware overload on my computer -- I'm new

    realblackstuff,

    Tried my best. Can't get a HJT in .txt form, only comes up as .log so I've cut and pasted below.

    Still no luck with speed. Can I get HJT to fix any of those O4 items that were found to be an N or U? The jamnotageek site points to software that is for sale in order to disable the items.

    Still have 44 tasks running, 7 of which are svchost.exe.

    Thanks again,

    Tinrobert

    HJT

    Logfile of HijackThis v1.99.0
    Scan saved at 7:09:28 PM, on 1/30/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  20. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You can STOP them all by either changing a setting,

    Take the finger out! Go into those programs, look into settings/tools/options or wherever, stop them from checking for automatic updates etc.

    Ever heard of renaming files?

    Also, when HJT makes its log, it asks where to save it. Just overtype hjt.txt or something.
    You are on your own now, I have explained all there is to explain.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.