[solved]How to remove Messenger Plus ???

Discussion in 'adware, spyware & hijack cleaning' started by nicM, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi, I've stupidely began to install the messenger plus add-on, wich IS a spyware. I've noticed it as reading the Licence during the installation, and decided to abort... but this crap however had time enough to activate some of its functions, even if the main program is NOT installed :mad: . I've noticed strange behaviour from my firewall (some of its functions, as blocking cookies and ads were temporarely disabled, but the firewall, NIS, didn't noticed it, as these two fonctions were shown as "active"...). :(

    So, I made scans with ad-aware, spybot, A squared, and even TDS 3, but none of them found anything. Only a on-line scan on Checkflow allowed me to know a few entries in the registry.

    For example, this spyware activate some javascript, that we can see in the Temporarely Internet Files; on each page visited... :mad:

    So, if someone know HOW TO REMOVE IT DEFINITIVELY, it would be great....

    PS: I can send an Hijack This log if needed..

    Cheers :rolleyes:
     
    Last edited: Jul 19, 2004
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Still me. Note: tHE other procedures I found on forums can't work, because I DIDN'T INSTALL MESSENGER PLUS, so I haven't any "uninstall" option...
    The spyware I 've got installed itself because I began to install it, before reading the Licence...

    So, PLEASE, HELP !!!! :'( ; I'm hesiting to format and reinstall my harddrive, right now...)
     
  3. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    OK, here are a Hijack This log, and a screen capture, showing one of theses tiny javascript wich load when opening a page on Internet (in yellow, "WH.js", the name changes permanently...).

    ________
    attached hijackthis log posted for ease of use - snap


    Logfile of HijackThis v1.98.0
    Scan saved at 21:07:12, on 19/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
    C:\Program Files\ProcessGuard Free\dcsuserprot.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Wanadoo\CnxMon.exe
    C:\PROGRA~1\MESSAG~1\StartMessager.exe
    C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
    C:\Program Files\ProcessGuard Free\procguard.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\flowprotector\flowprotector.exe
    C:\Documents and Settings\nicolas le mineur\Mes documents\jeanyves.lemineur\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
    O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: FlowProtector_Plus.lnk = C:\Program Files\flowprotector\flowprotector.exe
    O4 - Startup: MPXPTray.lnk = C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
    O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Sites Perso - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
    O9 - Extra 'Tools' menuitem: Compaq France - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20040106/akamai.info.apple.com/iTunes4/WW/win/FU019-0123.20040106.Zxsw3/iTunesSetup.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8EC69950-F299-40AC-A004-3BF5176F8F7B} (FlowScan Control) - http://www.checkspy.com/fr/FlowScan.cab
     

    Attached Files:

    Last edited by a moderator: Jul 19, 2004
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Nico,

    Messenger PLUS:
    Messenger Plus is an add-on. It is not written by Microsoft. It installs spyware. LOP to be exact. You installed the Sponsor and you have spyware as a result.

    It is still there. You need to uninstall it and then if you still want to use it, then reinstall and choose not to install the Sponsor.

    First uninstall Plus via Add\remove

    And now we have to uninstall the spyware it added.


    Go to Add/remove programs and remove:
    "Window Search" and *Win Tools*
    You will be given a security code to insert, do so
    And reboot when done.

    If not there then use these two uninstallers:

    http://lop.com/new_uninstall.exe
    http://lop.com/toolbar_uninstall.exe

    Download CWShredder from this link:
    http://www.spywareinfoforum.com/downloads/tools/CWShredder.exe
    Run CWShredder.exe and click the Fix button to clean.

    Then reboot and use AdAware as described :
    HERE

    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    :D Hi, Marianna, thank you VERY MUCH for your help... . You know, I did't install it , or, moreover, it shouldn't be installed, because I noticed the Licence was, well, let's say,funny (C2lop is among the objects searched by Spybot, wich I already run). When I saw the terms of this licence, I STOPPED M.plus installation... , but some of its composants must be installed yet. None of my scanners (Norton, Spybot, ad-aware, A-squared and TDS-3) found spyware, but a "HOTBAR" is there... . This is the cause of my troubles. I can see it because it modify sometimes my Norton firewall behaviour, and there are strange javascripts in my temporary internet files. So, I wish the C2lop uninstaller you adviced me will be useful.... :rolleyes: . And I've already made a scan with CWshredder, but nothing appeared.
    I try the two C2lop uninstaller, and I'll tell you if it works...

    Thanks again, Cheers, :D
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Nico,

    after you ran the uninstallers do NOT forget:

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Run HIjackThis again as you are done and let'see what's still in there:)
     
  7. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Hi again, Marianna. I think the removal of this pest would have been easier if I had installed messenger plus (completely, I mean)... . I've made all you said, and this crap is still there... :mad: . The on-line Flowprotector scan (www.checkspy.com) find a "HOTBAR" again, with 3 registry entries... but doesn't show the full path to it (I 've cleared one "patchou" entry, it was easy to find). And there are still the JAVASCRIPTS I was talking about, before. I've run Ace Utilities too, this program remove all registry/temp unneeded files. But it sems that this "HOTBAR" re-creates it permanently... .So, I send you an Hijack This log, but I think I'll spend my afternoon tomorrow reinstalling everything on my computer... :doubt:

    I'm furious, because I provoqued this myself, as downloading this messenger plus... AArgh. I' m never annoyed with spyware, usually... . This is humiliating... :blink: .

    If you can advice me something, I would be happy, even if i think this is desesperate...

    Thank you again, Cheers
     

    Attached Files:

  8. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Oh, and by the way, I've removed MSN messenger.. . I wish it's not important for an eventual cleaning of the Hotbar... o_O
     
  9. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Here is your log

    Logfile of HijackThis v1.98.0
    Scan saved at 03:19:15, on 20/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
    C:\Program Files\ProcessGuard Free\dcsuserprot.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Wanadoo\CnxMon.exe
    C:\PROGRA~1\MESSAG~1\StartMessager.exe
    C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Wanadoo\EspaceWanadoo.exe
    C:\Program Files\Wanadoo\ComComp.exe
    C:\Program Files\Wanadoo\Watch.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Fichiers communs\Symantec Shared\NMAIN.EXE
    C:\Documents and Settings\nicolas le mineur\Mes documents\jeanyves.lemineur\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
    O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\MESSAG~1\StartMessager.exe Messager Wanadoo
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: FlowProtector_Plus.lnk = C:\Program Files\flowprotector\flowprotector.exe
    O4 - Startup: MPXPTray.lnk = C:\Program Files\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
    O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Sites Perso - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
    O9 - Extra 'Tools' menuitem: Compaq France - {06FE5D05-8F11-11d2-804F-00105A133818} - http://compaqnet.ifrance.com/heberg/accueil (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20040106/akamai.info.apple.com/iTunes4/WW/win/FU019-0123.20040106.Zxsw3/iTunesSetup.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8EC69950-F299-40AC-A004-3BF5176F8F7B} (FlowScan Control) - http://www.checkspy.com/fr/FlowScan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{97C64BFD-3129-496A-939A-2F148F7D59A2}: NameServer = 80.10.246.1 80.10.246.132

    Nico,

    I don't "get it" - I can't see the hotbar :mad:
    there is a LOT of stuff from Wanadoo - could it be IN there?

    Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
    Make sure all browser and all Windows Explorer windows are closed before fixing

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=040c&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=040c&s=search&ap=b204

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=040c&ac

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com

    Reboot

    Does that help ??

    Is your Ad aware UPDATED?? Care to run it again??

    PL.s let me know how it looks now.
     
  10. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Hi, Marianna. Ok, I've done everything.... with no results :mad: :mad: :mad: ...
    What the f..k is that "hotbar"? I've still this running, as I've just made another Checkspy scan... see, I joined a shot of the first scan result ( and one funny thing is that I installed the Flowprotector soft, from the same company as Checkspy, but curiously, it doesn't find anything on my computer... strange, no? o_O ). And again, I can see the tiny javascripts on IE... . nb: Spybot (1.3, up-to-date, and Ad-aware, idem, didn't found anything...).

    This spyware isn't as annoying than some others, wich can redirect, prevent some sites to be visited, etc, but I CAN'T remove it... . And I don't want it to stay on my computer... . When I think I was making fun of my friends who were running malware/spyware (although removing most of it for them...).

    It looks like I'm in a good way to make a reinstall this afternoon... (it's almost 6 o'clock in the morning, here...).

    So thank you so much for your help, :-* , and reply if you have another idea, but it seems pretty hard...

    Cheers, Nicolas
     

    Attached Files:

  11. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Yikes !

    Backup your registry !

    Then hunt for the registry entries you see in the screenprint for HOTBAR and delete them . Good idea??
     
  12. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Aaahhhh ... You mean that the shot shows the FULL PATH to theses registry entries... . Right, I though it was uncomplete :oops: . Thanks for the tips,Marianna, I'll make a try...
    Cheers :D
     
  13. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    did it work?
     
  14. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    :doubt: Hi. Eehhh, in fact, I don't know... . I didn't reach the registry entries, because te path is uncomplete. But ther are two possibles explanations... : 1) the rest of spyware is unremoveable... 2) after a full system restore (and a rude headache..), I'm surely worrying because of the possible ZEAL of the Checkspy scanner... :mad: .
    I'm not sure of this (I'll try with another computer), but it seems that this scanner could find a "hotbar" on EACH computer it scans... . And this is mostly the right cause of my worries.... : I'm very sorry, if it's the case, for disturbing you with my problems... :oops: . I'm quite sure that the supposed hotbar are just the links that all IE toolbars have... ( hotmail, etc... depending of the computer's manufacturer). I'll verify this tomorrow, on another computer.
    And if I'm wrong, the solution should be to reinstall but with a hard drive formating before (I didn't format, because the reinstall is supposed to over-write everything, isn't it?). :rolleyes: . And I'll make a research to see what people say about the Checkspy on-line scanner... (I think it's something like: "wow, your computer is devastated by spyware, buy our soft"...

    So, that's it; Thank you so much again for your help, and I 'll let you know if I can be sure of the zeal of Checkspy, what would prove that I'm not running parts of a "real" Hotbar...

    Cheers ;)
     
  15. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  16. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    :cool: Hi, Marianna. That's it... the adress is www.checkspy.com , it's the on-line scanner from Checkflow flowprotector, a powerful anti-spyware soft. By the way, if you want to have fun, try this on-line scanner, I' m ready to bet that it' ll find a "Hotbar" on your computer too... :D . I made the test with others computers, including one that's just used to make intranet medical remote transmissions, ad ALL have a so-called Hotbar , so... :cool: .
    I just made a full reinstall for...nothing, I guess. I'm now sure that you didn't see the Hotbar on my Hijack This logs BECAUSE IT WAS'N'T IN THE PLACE... Sorry again (and many thanks again) for your efforts :oops: :)

    Cheers,
    Nicolas ;)
     
  17. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Hi Nicolas

    don't be sorry and "keep smiling" . right, I did NOT see the HOTBAR - ONLY you saw it :D

    Well, now you know FOR SURE your computer is CLEAN :) thanks for your feedback !

    Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.

    Have a great summer and Happy Safe Computing !
     
  18. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    :) Hi, me again. The site you talked in your last thread is for sure instructive..., and maybe I'll have a look to BHODemon, that seems interresting. However, and even if I was taken as an idiot in trying Messenger plus( it will be times before I 'll do this kind of thing again...), I'm quite safe when being on the net :cool: : all my softs are ALWAYS up-to-date (it takes time...), and all forms of activeX controls, java applets, etc, are blocked by the firewall; it is set to the maximum security level available. And I'll add full Process Guard (actually waiting for the licence), and TDS, soon. So... :cool: . There are ever guys who manage to defeat this kind if protection, but as I said, I'm never annoyed with spyware, currently. :rolleyes: .
    So, thanks again
    Cheers :D
    ps: and have nice holidays too ;)
     
  19. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Hi Nico,

    glad to see you still have some humor left :D

    right - have a look at BHODemon !

    I also have TDS3 running - look IN the TDS 3 forum here at Wilders - FanJ has made screenshots HOW to configure it.

    Surf Safe and use "common sense" :D
     
  20. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Humm, I usually use paranoïac sense.. :rolleyes: . Oh, by the way, you won't believe, but the reason I decided to install messenger plus for is that it was promising greats functions... and I've seen this in... "WindowsXP magazine", the OFFICIAL (!) press of Microsoft, here, in France... :eek: . Funny, isn't it?
    So, they adviced, in their last month's magazine, all their readers to add this "marvelous add-on" to their Windows/MSN messengers... :mad: . (I've sent them a mail where I courteously make fun of them...). I imagine the unhappy readers who don't know about spyware/malware ,and who will install it cheerfully... . But I (almost) forgive them, as the same page of the magazine is the place where I heard about wilderssecurity forum for the first time... Thans to them :) .

    Cheers ;)
    Nicolas
     
  21. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: How to remove Messenger Plus o_O

    Hi Nicholas

    Did you install MESSENGER PLUS WITH ALL the "stuff"?

    If you want to use it, reinstall and do not choose the extras or to install the Sponsor. Their Sponsor installs Spyware. :D

    This ONLY FYI :eek:
     
  22. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Hi, Marianna. Ho-Hooo, you know, I don't want to hear about this messenger plus anymore, never... . Maybe my precedent message was uncorrectly written :rolleyes: . I just said that I found scandealous that the OFFICIAL MICROSOFT PRESS recommands to install it; not the same... (if I hadn't seen this article in this mag, I wouldn't never have heard about this messenger add-on).It's very unfair about their readers. Especially as they usually give good advices about security/spyware preventing.. .

    Even if I found the Windows messenger more potentially "secure" than the MSN version, I will reinstall MSN messenger, as it's more functionnal , but with the MSN page disablead (otherwise, there a a lot of services coming with, I'm quite suspicious about this), and PROTECTED IN PROCESS GUARD... :cool: . It should be bullet-proof, this way, ha-ha :D .

    Cheers :-*
     
  23. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: How to remove Messenger Plus o_O

    Oh, and by the way, I didn't say it before, because I though that a Hotbar was still installed, but the "thing" I had (I don't know what it was...) did run only one time, the first time I used my messenger after my stupid messenger plus "installation" (with ", because I repeat, at the beginning of this installation, I aborted, pressing "cancel installation", after reading the funny-Licence of Messenger plus... :cool: ). Windows messenger was open, and a IE-page redirection tryed to work, I saw Doubleclick cookies blocked by the firewall; later, the firewall didn't block cookies and ads anymore, although the blocking cookies, and ads, functions wer shown as "active". I think I just made a cleaning of IE cache, temporary IE files, and swap, prefetch, and all forms of temporary files ( all of this with Ace Utilities), and the problem disappeared by itself... o_O . Maybe it was a start-page Hijack, of something of this kind, attempt, but it didn't work?

    Whatever, all is OK, now :D

    Bye, and Cheers ;)
     
  24. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  25. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    :D Hi, Marianna! Thanks, but I'm fine with IE... . I think the most "secure" Internet navigator would be the one coming with the Flowprotector anti-spyware soft. I didn't try this, but it replaces IE when you use it, as a "demilitarized area". Did you hear about this? :D
    (by the way, I guess it's not the place to ask it, but how can we become a "spyware fighter? does it need programming competences?)
    Cheers :D
     
Thread Status:
Not open for further replies.