getting rid of bargain buddy

[schroetp]

I have tried unsuccessfully to get rid of bargain buddy, using AdAware, Spybot and AntiSpyware. Please help!


I have attached my Hijackthis log that I got after running the Hijackthis Analyzer.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:31:24 PM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Tom\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://business.dellnet.com/
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [IPConfig] svcxnw32.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - HKCU\..\Run: [IPConfig] svcxnw32.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken2004\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

THanks!

[sUBs]

Hi and Welcome to TSF!

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.


WARNING
You are running HiJackThis from an inappropriate location. It should be run from a permanent folder. This program creates backup files which we may need to use later. If the program is in a temporary folder, important backups may be accidentally deleted.

1. Please go into Windows Explorer
2. Click on C:\
3. Click on File > New > Folder
4. Call it HJT, or another name of your choice.
5. Move all files to the newly created folder.

Enable the viewing of Hidden files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Show hidden files and folders option.
• Deselect the Hide file extensions for known types option.
• Deselect the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~

We require some additional files/programs for this fix. Please download the following files :-
Do not run any of the files unless instructed to do so

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Disconnect your computer from the Internet when you have finished downloading.


~~~~~~~~~~~~~~~

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer

• Go to Tools>Resident - Deselect TeaTimer.

Microsoft AntiSpyware

• Click on Options>Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
• Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
• After you've done these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Webroot SpySweeper

• Go to the Options>Program Options.
• Deselect Load at Windows Startup.
• Click Shields and Deselect all items there.
• Deselect Home page shield.
• Deselect Automaticly restore default without notifiction.

Ad-aware's Ad-Watch

• Right-click on the Ad-Watch icon in the system tray
  At the bottom of the screen you will see 2 options Active and Automatic.
• Deselect Active
• Deselect Automatic
• Go to "Tools & Preferences">Options
• Deselectt "Load Ad-Watch at Windows startup"

~~~~~~~~~~~~~~~

Uninstall the following programs using Control Panel>Add/Remove Programs :

• ViewPoint

~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  C:\Windows\System32\svcnet.exe
  C:\WINDOWS\System32\svcxnw32.exe

Start KillBox.

1. Go to the File menu, and choose "Paste from Clipboard".
   Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


~~~~~~~~~~~~~~~

Reboot to Safe Mode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [IPConfig] svcxnw32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - HKCU\..\Run: [IPConfig] svcxnw32.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab


~~~~~~~~~~~~~~~

Locate and delete the following folder(s), if present:

• C:\Program Files\Viewpoint

Search for & delete ... using "Start>Search..." the following file(s), if present:

• svcnet.exe
  svcxnw32.exe

~~~~~~~~~~~~~~~

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click "Options..."
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click "OK"
5. Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders

~~~~~~~~~~~~~~~

Reboot to Normal Mode.

Do an online scan at one of the following sites:

• Panda
• BitDefender
• Trend Micro

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot Again & Run a new scan with HiJackThis. Save the log file and run KRC HiJackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

In your next post, please include:

• Copy of KRC HiJackThis Analyzer log
• List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.

[schroetp]

I have followed the directions given and 3 adware remain from the scan done at Trend Micro, which were undeleteable:
- ADW CASHBACK.A
- ADW BARGBUDDY.G
- ADW BARGBUDDY.F

The hijack this analyzer log is attached:
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:57:33 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Documents and Settings\Tom\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://business.dellnet.com/
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken2004\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[sUBs]

Quote:

I have followed the directions given and 3 adware remain from the scan done at Trend Micro, which were undeleteable:
- ADW CASHBACK.A
- ADW BARGBUDDY.G
- ADW BARGBUDDY.F

You have to give me the locations of the files found. Otherwise, I wouldn't know which file to delete.

Since you have already did the Trend Micro scan, I suggest that you do a scan from a different site.

[schroetp]

I did a scan from bitdefender and it did not give me any actual files, just registry entries that need to be removed. I tried removing them but it was not allowed, even in safe mode.

HKEY_CLASSES_ROOT\ADP.UrlCatcher.1
HKEY_CLASSES_ROOT\ADP.UrlCatcher.1\CLSID {F4E04583-354E-4076-BE7D-ED6A80FD66DA}
HKEY_CLASSES_ROOT\ADP.UrlCatcher
HKEY_CLASSES_ROOT\ADP.UrlCatcher\CLSID {F4E04583-354E-4076-BE7D-ED6A80FD66DA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID {F4E04583-354E-4076-BE7D-ED6A80FD66DA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID {F4E04583-354E-4076-BE7D-ED6A80FD66DA}

[sUBs]

If you experienced problems deleting keys, right click on the said entry & select permissions....
Select Full Control & click "OK"
You should be able to delete it after that.

I advise utmost caution whilst is the Registry. Always create a backup before doing anything. You may do so by going to File>Export and save the registry somewhere as a backup.

Do come back to tell me how it went. There are still cleaning steps we need to do when the system is fully disinfected.

[schroetp]

THanks you very much!!! I was able to delete all the keys.

What else should I do to ensure my system is clean?

[POADB]

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.

If this comes back clean - we'll clear you and provide information on how to stay clean.

[schroetp]

Panda Active Scan came back with nothing found.

[sUBs]

Would you prefer if Panda came back with something?

Your log is clean. Well done
Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear Java Cache

1. Click Start >Settings>Control Panel
2. Click the Java Plugin Icon
3. Click the Cache tab
4. Click the Clear button and click OK to confirm

Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Java's cache.


Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[schroetp]

THanks much for all the help!