[solved]How to remove Messenger Plus ???

Hi, I've stupidely began to install the messenger plus add-on, wich IS a spyware. I've noticed it as reading the Licence during the installation, and decided to abort... but this crap however had time enough to activate some of its functions, even if the main program is NOT installed . I've noticed strange behaviour from my firewall (some of its functions, as blocking cookies and ads were temporarely disabled, but the firewall, NIS, didn't noticed it, as these two fonctions were shown as "active"...).

So, I made scans with ad-aware, spybot, A squared, and even TDS 3, but none of them found anything. Only a on-line scan on Checkflow allowed me to know a few entries in the registry.

For example, this spyware activate some javascript, that we can see in the Temporarely Internet Files; on each page visited...

So, if someone know HOW TO REMOVE IT DEFINITIVELY, it would be great....

PS: I can send an Hijack This log if needed..

Cheers

 

Re: How to remove Messenger Plus

Still me. Note: tHE other procedures I found on forums can't work, because I DIDN'T INSTALL MESSENGER PLUS, so I haven't any "uninstall" option...
The spyware I 've got installed itself because I began to install it, before reading the Licence...

So, PLEASE, HELP !!!! ; I'm hesiting to format and reinstall my harddrive, right now...)

 

Re: How to remove Messenger Plus

OK, here are a Hijack This log, and a screen capture, showing one of theses tiny javascript wich load when opening a page on Internet (in yellow, "WH.js", the name changes permanently...).

________
attached hijackthis log posted for ease of use - snap


Logfile of HijackThis v1.98.0
Scan saved at 21:07:12, on 19/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\ProcessGuard Free\dcsuserprot.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\PROGRA~1\MESSAG~1\StartMessager.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
C:\Program Files\ProcessGuard Free\procguard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\flowprotector\flowprotector.exe
C:\Documents and Settings\nicolas le mineur\Mes documents\jeanyves.lemineur\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: FlowProtector_Plus.lnk = C:\Program Files\flowprotector\flowprotector.exe
O4 - Startup: MPXPTray.lnk = C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Sites Perso - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
O9 - Extra 'Tools' menuitem: Compaq France - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20040106/akamai.info.apple.com/iTunes4/WW/win/FU019-0123.20040106.Zxsw3/iTunesSetup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EC69950-F299-40AC-A004-3BF5176F8F7B} (FlowScan Control) - http://www.checkspy.com/fr/FlowScan.cab

 

Re: How to remove Messenger Plus

Nico,

Messenger PLUS:
Messenger Plus is an add-on. It is not written by Microsoft. It installs spyware. LOP to be exact. You installed the Sponsor and you have spyware as a result.

It is still there. You need to uninstall it and then if you still want to use it, then reinstall and choose not to install the Sponsor.

First uninstall Plus via Add\remove

And now we have to uninstall the spyware it added.


Go to Add/remove programs and remove:
"Window Search" and *Win Tools*
You will be given a security code to insert, do so
And reboot when done.

If not there then use these two uninstallers:

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Download CWShredder from this link:
http://www.spywareinfoforum.com/downloads/tools/CWShredder.exe
Run CWShredder.exe and click the Fix button to clean.

Then reboot and use AdAware as described :
HERE

Spybot S&D
The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems".

Close Spybot S&D, reboot your system .

Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then Disable system restore: Instructions here
Reboot

Enable System Restore.

Pls. post another log.

 

Re: How to remove Messenger Plus

Hi, Marianna, thank you VERY MUCH for your help... . You know, I did't install it , or, moreover, it shouldn't be installed, because I noticed the Licence was, well, let's say,funny (C2lop is among the objects searched by Spybot, wich I already run). When I saw the terms of this licence, I STOPPED M.plus installation... , but some of its composants must be installed yet. None of my scanners (Norton, Spybot, ad-aware, A-squared and TDS-3) found spyware, but a "HOTBAR" is there... . This is the cause of my troubles. I can see it because it modify sometimes my Norton firewall behaviour, and there are strange javascripts in my temporary internet files. So, I wish the C2lop uninstaller you adviced me will be useful.... . And I've already made a scan with CWshredder, but nothing appeared.
I try the two C2lop uninstaller, and I'll tell you if it works...

Thanks again, Cheers,

 

Re: How to remove Messenger Plus

Nico,

after you ran the uninstallers do NOT forget:

Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Run HIjackThis again as you are done and let'see what's still in there

 

Re: How to remove Messenger Plus

Hi again, Marianna. I think the removal of this pest would have been easier if I had installed messenger plus (completely, I mean)... . I've made all you said, and this crap is still there... . The on-line Flowprotector scan (www.checkspy.com) find a "HOTBAR" again, with 3 registry entries... but doesn't show the full path to it (I 've cleared one "patchou" entry, it was easy to find). And there are still the JAVASCRIPTS I was talking about, before. I've run Ace Utilities too, this program remove all registry/temp unneeded files. But it sems that this "HOTBAR" re-creates it permanently... .So, I send you an Hijack This log, but I think I'll spend my afternoon tomorrow reinstalling everything on my computer...

I'm furious, because I provoqued this myself, as downloading this messenger plus... AArgh. I' m never annoyed with spyware, usually... . This is humiliating... .

If you can advice me something, I would be happy, even if i think this is desesperate...

Thank you again, Cheers

 

Re: How to remove Messenger Plus

Oh, and by the way, I've removed MSN messenger.. . I wish it's not important for an eventual cleaning of the Hotbar...

 

Re: How to remove Messenger Plus

Here is your log

Logfile of HijackThis v1.98.0
Scan saved at 03:19:15, on 20/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\ProcessGuard Free\dcsuserprot.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\PROGRA~1\MESSAG~1\StartMessager.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Symantec Shared\NMAIN.EXE
C:\Documents and Settings\nicolas le mineur\Mes documents\jeanyves.lemineur\HijackThis1980hf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: FlowProtector_Plus.lnk = C:\Program Files\flowprotector\flowprotector.exe
O4 - Startup: MPXPTray.lnk = C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Sites Perso - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
O9 - Extra 'Tools' menuitem: Compaq France - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20040106/akamai.info.apple.com/iTunes4/WW/win/FU019-0123.20040106.Zxsw3/iTunesSetup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EC69950-F299-40AC-A004-3BF5176F8F7B} (FlowScan Control) - http://www.checkspy.com/fr/FlowScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97C64BFD-3129-496A-939A-2F148F7D59A2}: NameServer = 80.10.246.1 80.10.246.132

Nico,

I don't "get it" - I can't see the hotbar
there is a LOT of stuff from Wanadoo - could it be IN there?

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
Make sure all browser and all Windows Explorer windows are closed before fixing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=040c&s=search&ap=b204

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

Reboot

Does that help ??

Is your Ad aware UPDATED?? Care to run it again??

PL.s let me know how it looks now.

 

Re: How to remove Messenger Plus

Hi, Marianna. Ok, I've done everything.... with no results ...
What the f..k is that "hotbar"? I've still this running, as I've just made another Checkspy scan... see, I joined a shot of the first scan result ( and one funny thing is that I installed the Flowprotector soft, from the same company as Checkspy, but curiously, it doesn't find anything on my computer... strange, no? ). And again, I can see the tiny javascripts on IE... . nb: Spybot (1.3, up-to-date, and Ad-aware, idem, didn't found anything...).

This spyware isn't as annoying than some others, wich can redirect, prevent some sites to be visited, etc, but I CAN'T remove it... . And I don't want it to stay on my computer... . When I think I was making fun of my friends who were running malware/spyware (although removing most of it for them...).

It looks like I'm in a good way to make a reinstall this afternoon... (it's almost 6 o'clock in the morning, here...).

So thank you so much for your help, , and reply if you have another idea, but it seems pretty hard...

Cheers, Nicolas

 

Re: How to remove Messenger Plus

Yikes !

Backup your registry !

Then hunt for the registry entries you see in the screenprint for HOTBAR and delete them . Good idea??

 

Re: How to remove Messenger Plus

Aaahhhh ... You mean that the shot shows the FULL PATH to theses registry entries... . Right, I though it was uncomplete . Thanks for the tips,Marianna, I'll make a try...
Cheers

 

Re: How to remove Messenger Plus

did it work?

 

Re: How to remove Messenger Plus

Hi. Eehhh, in fact, I don't know... . I didn't reach the registry entries, because te path is uncomplete. But ther are two possibles explanations... : 1) the rest of spyware is unremoveable... 2) after a full system restore (and a rude headache..), I'm surely worrying because of the possible ZEAL of the Checkspy scanner... .
I'm not sure of this (I'll try with another computer), but it seems that this scanner could find a "hotbar" on EACH computer it scans... . And this is mostly the right cause of my worries.... : I'm very sorry, if it's the case, for disturbing you with my problems... . I'm quite sure that the supposed hotbar are just the links that all IE toolbars have... ( hotmail, etc... depending of the computer's manufacturer). I'll verify this tomorrow, on another computer.
And if I'm wrong, the solution should be to reinstall but with a hard drive formating before (I didn't format, because the reinstall is supposed to over-write everything, isn't it?). . And I'll make a research to see what people say about the Checkspy on-line scanner... (I think it's something like: "wow, your computer is devastated by spyware, buy our soft"...

So, that's it; Thank you so much again for your help, and I 'll let you know if I can be sure of the zeal of Checkspy, what would prove that I'm not running parts of a "real" Hotbar...

Cheers

 

Re: How to remove Messenger Plus

Hi Nico,

I don't know checkspy - did a Google - maybe you have a look?

http://groups.google.com/groups?q=Checkspy &hl=en&lr=&ie=UTF-8&sa=N&tab=wg

http://www.google.com/search?sourceid=navclient&q=Checkspy

"keep smiling"

 

Re: How to remove Messenger Plus

Hi, Marianna. That's it... the adress is www.checkspy.com , it's the on-line scanner from Checkflow flowprotector, a powerful anti-spyware soft. By the way, if you want to have fun, try this on-line scanner, I' m ready to bet that it' ll find a "Hotbar" on your computer too... . I made the test with others computers, including one that's just used to make intranet medical remote transmissions, ad ALL have a so-called Hotbar , so... .
I just made a full reinstall for...nothing, I guess. I'm now sure that you didn't see the Hotbar on my Hijack This logs BECAUSE IT WAS'N'T IN THE PLACE... Sorry again (and many thanks again) for your efforts

Cheers,
Nicolas

 

Re: How to remove Messenger Plus

Hi Nicolas

don't be sorry and "keep smiling" . right, I did NOT see the HOTBAR - ONLY you saw it

Well, now you know FOR SURE your computer is CLEAN thanks for your feedback !

Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.

Have a great summer and Happy Safe Computing !

 

Re: How to remove Messenger Plus

Hi, me again. The site you talked in your last thread is for sure instructive..., and maybe I'll have a look to BHODemon, that seems interresting. However, and even if I was taken as an idiot in trying Messenger plus( it will be times before I 'll do this kind of thing again...), I'm quite safe when being on the net : all my softs are ALWAYS up-to-date (it takes time...), and all forms of activeX controls, java applets, etc, are blocked by the firewall; it is set to the maximum security level available. And I'll add full Process Guard (actually waiting for the licence), and TDS, soon. So... . There are ever guys who manage to defeat this kind if protection, but as I said, I'm never annoyed with spyware, currently. .
So, thanks again
Cheers
ps: and have nice holidays too

 

Re: How to remove Messenger Plus

Hi Nico,

glad to see you still have some humor left

right - have a look at BHODemon !

I also have TDS3 running - look IN the TDS 3 forum here at Wilders - FanJ has made screenshots HOW to configure it.

Surf Safe and use "common sense"

 

Re: How to remove Messenger Plus

Humm, I usually use paranoïac sense.. . Oh, by the way, you won't believe, but the reason I decided to install messenger plus for is that it was promising greats functions... and I've seen this in... "WindowsXP magazine", the OFFICIAL (!) press of Microsoft, here, in France... . Funny, isn't it?
So, they adviced, in their last month's magazine, all their readers to add this "marvelous add-on" to their Windows/MSN messengers... . (I've sent them a mail where I courteously make fun of them...). I imagine the unhappy readers who don't know about spyware/malware ,and who will install it cheerfully... . But I (almost) forgive them, as the same page of the magazine is the place where I heard about wilderssecurity forum for the first time... Thans to them .

Cheers
Nicolas

 

Re: How to remove Messenger Plus

Hi Nicholas

Did you install MESSENGER PLUS WITH ALL the "stuff"?

If you want to use it, reinstall and do not choose the extras or to install the Sponsor. Their Sponsor installs Spyware.

This ONLY FYI

 

Re: How to remove Messenger Plus

Hi, Marianna. Ho-Hooo, you know, I don't want to hear about this messenger plus anymore, never... . Maybe my precedent message was uncorrectly written . I just said that I found scandealous that the OFFICIAL MICROSOFT PRESS recommands to install it; not the same... (if I hadn't seen this article in this mag, I wouldn't never have heard about this messenger add-on).It's very unfair about their readers. Especially as they usually give good advices about security/spyware preventing.. .

Even if I found the Windows messenger more potentially "secure" than the MSN version, I will reinstall MSN messenger, as it's more functionnal , but with the MSN page disablead (otherwise, there a a lot of services coming with, I'm quite suspicious about this), and PROTECTED IN PROCESS GUARD... . It should be bullet-proof, this way, ha-ha .

Cheers

 

Re: How to remove Messenger Plus

Oh, and by the way, I didn't say it before, because I though that a Hotbar was still installed, but the "thing" I had (I don't know what it was...) did run only one time, the first time I used my messenger after my stupid messenger plus "installation" (with ", because I repeat, at the beginning of this installation, I aborted, pressing "cancel installation", after reading the funny-Licence of Messenger plus... ). Windows messenger was open, and a IE-page redirection tryed to work, I saw Doubleclick cookies blocked by the firewall; later, the firewall didn't block cookies and ads anymore, although the blocking cookies, and ads, functions wer shown as "active". I think I just made a cleaning of IE cache, temporary IE files, and swap, prefetch, and all forms of temporary files ( all of this with Ace Utilities), and the problem disappeared by itself... . Maybe it was a start-page Hijack, of something of this kind, attempt, but it didn't work?

Whatever, all is OK, now

Bye, and Cheers

 

Hi Nicolas

why don't you "forget" IE and download Firefox?? I bet you will like it

Here is the link:

http://www.mozilla.org/products/fir...firefox/releases/0.9.2/FirefoxSetup-0.9.2.exe

Have a great weekend and Happy Safe Surfing !

 

Hi, Marianna! Thanks, but I'm fine with IE... . I think the most "secure" Internet navigator would be the one coming with the Flowprotector anti-spyware soft. I didn't try this, but it replaces IE when you use it, as a "demilitarized area". Did you hear about this?
(by the way, I guess it's not the place to ask it, but how can we become a "spyware fighter? does it need programming competences?)
Cheers