HJT log

Discussion in 'adware, spyware & hijack cleaning' started by liza, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. liza

    liza Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    Hi,

    After an exhuasting search I found you guys. I recently installed netzero and discovered the hard way that they had put all sorts of stuff on my computer. I've downloaded and run spyblaster and will soon be downloading and running the hijacker program that you recommend as soon as I remove what I can of netzero. They told me to do certain things to remove some of the annoyances but I discovered after running spyblaster that it didn't remove anything. If it's alright I will soon be posting to the hijacker forum for help including a copy of the log from the hijack program. Is there any other information that is needed?

    Thanks,
    Liz
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi liza :)

    Welcome to Wilders.

    I just moved your post over to the Hijack cleaning site. ;)

    All u have to do is follow the instructions here,

    http://www.wilderssecurity.com/showthread.php?t=15913

    then one of the experts will read your log and give u recommendations on any malware found.



    snowbound
     
  3. liza

    liza Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    Thanks snowbound.

    Already saved the page with the instructions.

    Will post in this forum when I have everything ready.

    Liz
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I know at the end of the instructions it says to start a new thread but u can post your log right here so the experts will be able to see what u have done so far in your first post. :)




    snowbound
     
  5. liza

    liza Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    Hi,

    Here's what's been happening. I installed and used netzero(ver7). I started noticing that the search from the address bar on my i.e browser had changed. I tried changing under the internet options but nothing happened. Wrote netzero and they told me to remove it with add/remove programs. Still didn't remove it. I found and ran spyblaster and saw that under the browser page info there were five listing for net zero search. I started to use the change feature but then stopped since I figured since I really didn't know what I was doing. So here I am.

    I got rid of net zero and unistalled their software, I had to manually remove the file nz search.

    I ran both ad-aware and spybot and they came up clean. The following is the log file from hijack this:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:09:21 PM, on 3/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\eM\Bay Reader\Shwicon2k.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\RingCentral\BuzMe\RCUI.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: BuzMe.lnk = C:\Program Files\RingCentral\BuzMe\RCUI.exe
    O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
    O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com/ActiveX/BMAXSetup.cab

    I want to get rid of all the netzero stuff and anything else that you suggest that will keep my computer clean of spyware.

    Thanks for your help,
    Liz
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll (file missing)

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun


    Reboot

    and Delete these folders
    C:\Program Files\NetZero
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I'm not sure about the buzzme program

    this is from their T&'s
    YOU FURTHER AGREE THAT THE BUZME SERVICE SOFTWARE SHALL RESIDE ON YOUR LOCAL SYSTEM AND MAY OPERATE UNOBTRUSIVELY IN THE BACKGROUND, PERFORMING A LIVE UPDATE, DELIVERING ADDITIONAL REQUESTED SOFTWARE, COLLECTING AND TRANSMITTING NON-PERSONALLY IDENTIFIABLE INFORMATION RELATED TO THE DISPLAY AND TRACKING OF ADVERTISING, AND ANY VOLUNTEERED DEMOGRAPHIC INFORMATION ABOUT YOU TO RINGCENTRAL OR TO RINGCENTRAL'S PARTNERS' SERVERS, WHENEVER YOUR WEB CONNECTION IS ACTIVE.

    http://www.buzme.com/buzme/service/tos.asp

    I personally wouldn't have such a service on my computer if it might download other software without mu knowledge or send me adverts.

    it's your choice though as it is clearly stated in the T&C's

    so even though it might be classsed as spyware it says it is doing it

    http://www.buzme.com/buzme/service/privacy.asp
    and it's privacy poicy leavesa alot to be desired
    Advertisers may also collect Non-Personal Information about you. The information they collect might include the type of ad displayed, the times the banner was displayed, and the effectiveness of the banner ad. This information may be collected by using one or more cookies that are stored on your hard drive as described above.

    In addition, while using our BuzMe Services, you may disclose information to parties other than RingCentral. For example, you may receive offers, promotions, and advertisements that originate from third parties; when you respond to these offers, promotions, or advertisements, third parties may collect information about your activities. The information practices of those third parties are not covered by this privacy statement.

    3. How We Use Your Personal Information.

    We use your Personal Information to improve the quality of the BuzMe Service and to boost the relevance of the offering we deliver to you. We use your Non-Personal Information to provide you with content (such as offers, advertisements, voicemails, and other promotions) that we believe will be of interest to you.

    We use your BuzMe Service Usage Data to maintain and improve our BuzMe Services. We also use Usage Data to do such things as operate and enhance our BuzMe Services and negotiate with vendors and advertisers.

    4. Disclosure of Your Information.

    By using the BuzMe Services being operated by RingCentral you consent to our disclosure of your information to our partners. Other than disclosure of your Personal Information to our partners, RingCentral will never disclose any of your Personal Information except when we have your permission or under special circumstances, such as when we believe in good faith that the law requires it or under the circumstances described below.

    We may disclose Aggregate Data. We may also share your responses to questions, advertiser-sponsored promotions, etc. with advertisers or marketers.

    Due to legal rules beyond our control, we cannot fully ensure that your private communications and other Personal Information will not be disclosed to other third parties. For example, if we need to investigate or resolve possible problems or inquiries, or if we receive a subpoena requesting information about you or communications by or to you, we can, and you authorize us to (without any opportunity by you to challenge the validity of the request or the subpoena), disclose any information about you to law enforcement or other government officials or the party serving the subpoena as we believe necessary or appropriate.

    Customers who use RingCentral's BuzMe FREE service:
    One of the ways RingCentral is able to keep BuzMe Free a free service is through demographic research and email lists. In order to use the BuzMe Free service, you must give your name, e-mail address, mailing address, and home phone number. We also ask several questions about your Internet usage, telephone service usage, and general demographic information (income, etc.). The information we receive at registration helps us to better understand how to tailor our site and our services to meet our members' needs. It also helps us to understand the demographics of our members. Because we offset the cost of this free service in the form advertisers and partners, obtaining demographic data is essential to keeping our service free to users. Other than email address and aggregate demographic information, RingCentral will exercise its best efforts not to disclose a member's personally identifiable information to third parties unless we (1) receive permission from the member; (2) are required to disclose such information by any applicable law or legal process served on RingCentral; (3) need to disclose the information to enforce the RingCentral Terms of Use.


    This in red probably means they sell your email adress to other parties and you will get the spam

    I definitely wouldn't have it on my computer
     
  8. liza

    liza Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    Hi,

    Thanks for all the great help. Did exactly as you suggested. The netzero stuff seems be be gone. I will take your advice and remove buzme as soon as I find something to replace it. My mom spends lots of time on the computer and I need something the lets us know when someones trying to call.

    After I uninstall the buzme program should I run hijack again and remove the buzme lines if they don't remove automatically?

    Thanks again,

    Liz
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes if when you uninstall it, there are any references to it in HJt then fix them

    Any doubts just post again and we will advise

    I expect this one will stay & need to be deleted, uninstalling almost never gets rid of a DPF O16

    O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com/ActiveX/BMAXSetup.cab
     
Thread Status:
Not open for further replies.