help needed concerning spybot results

[frustratedIam]

My computer issues had been resolved. I decided to put on sp2 so I ran adaware,spybot and microsofts antispyware. Spybot came back with 4 main entries ncase, internet optimizer, powerscan and sidefind. Where did these come from? I haven't been on the net with that computer since it had been cleaned of spyware.

[greyknight17]

Was your thread that you posted resolved now? Just want to know.

Did you use Spybot to do a scan recently, prior to this one? It could have been from a program also, but if you ran Spybot before SP2 install, it should have picked it up. My guess is that you forgot to run it and only ran HijackThis - which isn't sufficient in cleaning out the other junk that it may not detect.

Are they gone now? What does Ad-aware find?

[frustratedIam]

you fixed that one and the log was clean. You suggested to put on sp2. So I figured I would run all the spyware programs before installing sp2 and resulted in spybot finding the culprits.All the entries are in the registry.I say to fix them and the program says it needs to reboot before the problems can be fixed so I do that but it is unable to fix them and Adaware didn't find anything.

I also had another thread from my main computer and you fixed that as well. which is very much appreciated.
Thanks Sue

[greyknight17]

Hi Sue, so you never did run Spybot before we did the HijackThis fixes? You should always run Spybot and Ad-aware before giving us a HijackThis log. They will detect other things and help cut back the bulk in the HijackThis logs.

So all those you listed can't be fixed? Give us a new HijackThis log now. If anything, we'll have to get a fix for each of those separately and remove them.

[frustratedIam]

Logfile of HijackThis v1.99.1
Scan saved at 11:40:18 AM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Owner\My Documents\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[greyknight17]

OK, that log is clean.

So you still find ncase, internet optimizer, powerscan and sidefind? See if they are listed in the Add/Remove Panel. Then go into C:\Program Files\ and see if there is a folder for it. If there are, delete all those folders for those 4 programs.

[frustratedIam]

none of the programs are found in the add/remove panel or in the programs folder. There was an easy internet sign up in the add/remove so I uninstalled it.Also a shopping program so I got rid of it as well. will run spybot again.

[frustratedIam]

I ran spybot again and the entries are still there . can I just edit the registry to get rid of them?
Sue

[greyknight17]

Yes, that's precisely what we will need to do. Follow the instructions below:

ncase - http://www.pchell.com/support/ncase.shtml
Internet Optimizer - http://www.iamnotageek.com/a/386-p1.php
Power Scan:

Quote:

Powerscan Description
Powerscan may launch pop-up advertisements and monitor your Internet activity while you're browsing the web. This adware may be downloaded through other pop-up advertisements, or it may come packaged with an Internet Explorer toolbar with search functions.

PowerScan Removal Instructions

End the 'cleanup.exe', 'ignorelist.exe', 'patchnow.exe', 'productsupport.exe', 'powerscan.exe', 'sysrestore.exe' process from the Task Manager (ctrl-alt-delete).

Remove these files (if present) with Windows Explorer: cleanup.exe, ignorelist.exe, patchnow.exe, pc powerscan - live update.lnk, pc powerscan.lnk, power scan.lnk, productsupport.exe, programfilesdir+\power scan\powerscan.exe, sysrestore.exe.

Open the registry (Start->Run->regedit) and delete the following keys and values:
HKEY_CURRENT_USER\software\powerscan
HKEY_CURRENT_USER\software\powerscan account_id 126407
HKEY_CURRENT_USER\software\powerscan\{4e7bd74f-2b8d-469e-dbfc-ed1ca787ad2d}
HKEY_CURRENT_USER\software\powerscan\account_id
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un power scan
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\power scan
HKEY_LOCAL_MACHINE\software\powerscan
HKEY_LOCAL_MACHINE\software\powerscan loadnum 1

Having successfully done this you should be able to delete the entire 'PowerScan' folder in Program Files.

SideFind:

Quote:

SideFind Description
SideFind is a website search engine that may also be downloaded as an Internet Explorer toolbar with specialized search functions. SideFind may change your home page settings and redirect your search requests and error pages.

SideFind Removal Instructions

Before you can delete files, you must first stop all the SideFind processes that are running in memory.
Do this by ending all processes from the Task Manager.
Press CTRL+ALT+DELETE to open the Windows Task Manager. If you see multiple
"tabs," click on the "Processes" tab. For each process that you would like
to kill, find the process name in the list, click it to select it, and click
the "End Process" button.



Delete registry values Instructions:
Open the Windows Registry Editor by clicking on the Windows "Start" button,
clicking "Run," and typing "regedit" into the box in the Window that appears. Click "OK".
Once the Registry Editor is open, navigate through the registry tree to the
location of the key that you wish to delete. When you find the key or
value to be deleted, click on it to highlight it and press the "DELETE" key.

Delete Registry Values:
SOFTWARE\Microsoft\Side\Find
SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807}
BrowserHelperObject.BAHelper
{8CBA1B49-8144-4721-A7B1-64C578C9EED7}
{339D8AFF-0B42-4260-AD82-78CE605A9543}
SideFind.Finder
{58634367-D62B-4C2C-86BE-5AAC45CDB671}


Unregister DLL Instructions:
To un-register a DLL file, first locate the file on your hard drive.
Open a command prompt window by clicking on the Windows "Start" button,
clicking "Run," and typing "cmd" into the box in the Window that appears. Click "OK."
Next type "regsvr32 /u " and press the "ENTER" key.
For example, to un-register a file called "myDll.dll" which is located in
the "C:\windows\system32" folder, your would type
"regsvr32 /u C:\windows\system32\myDll.dll" and press the "ENTER" key.



Delete File Entries:
sfbho13[1].dll
sidefind[1].exe
sfexd001

OK, that should do it. If you have any questions, feel free to ask them here. Before you attempt to edit anything in the registry, make sure to back it up first. Go into the Registry Editor and then click on File->Export and save it somewhere.

[frustratedIam]

I tried following your instruction .there are no running processes of any of the software and none of the registry entries could be found in the suggested places but I did find powerscan in hkey-users/default/software/powerscan.
can I do a find in the registry for the entries and delete them that way? I don't have any folders either with those names.
Sue.

[greyknight17]

That doesn't sound right. Spybot is still detecting it now like you said right?

Yes, if that's the case, then do the manual search in the registry. I suggest hitting the F3 key if you found something. So delete the bad registry key if found and then hit F3 (which will do a Find Next) to make sure there are no more traces of that program. Then go to Edit->Find and do the next search. Repeat...

If you want, you may also use a program to do this search:

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

ncase
Internet Optimizer
SideFind
PowerScan

Save the file/files and post the results in the forum.

[frustratedIam]

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "ncase" 4/22/2005 9:14:35 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1464692582-902870234-2263273830-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="ncase"
--------
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "powerscan" 4/22/2005 9:17:19 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Power Scan]
"item"="powerscan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Power Scan]
"command"="C:\\Program Files\\Power Scan\\powerscan.exe"
--------------
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "sidefind" 4/22/2005 9:20:21 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SideFind]

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ and delete Power Scan

Next go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\ and delete SideFind

Then go to HKEY_USERS\S-1-5-21-1464692582-902870234-2263273830-1003\Software\Microsoft\Search Assistant\ACMru\5603 and delete 002

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Restart. Are they still being detected now.

[frustratedIam]

Hi when I went to HKEY_USERS\S-1-5-21-1464692582-902870234-2263273830-1003\Software\Microsoft\Search Assistant\ACMru\5603 in the registry to delete the key 002 I also found a dyfuca ,a smsse, msnsngr.exe ,msnsngr. Does this mean anything of importance. I still get a few errors in spybot. I did a print screen of the spybot window. can I attach it so you can see it? Thanks Sue

[greyknight17]

Yes, delete all those keys under the 5603 folder. They are not really harmful in this case since they only showed up there because we did searches for them one time or another. So they are just search results. But yes, you may delete them also.

Sure. Do a print screen and attach it here. Just reply and scroll down a little to Manage Attachments. Upload it there.

[frustratedIam]

after we get this figured out I will install sp2. do I still need zonealarm?

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to each of the following:

HKEY_USERS\S-1-5-18\Software and delete salm and IST

HKEY_USERS\.DEFAULT\Software and delete salm and IST

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Restart and see if those are gone now. If they are:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[frustratedIam]

Spybot says:
CONGRATULATIONS
No immediate threats were found.


Thanks for your help , it is very much appreciated
Sue