Cashback, Bargin, NaviSearch - Free Antivirus Forum

Cashback, Bargin, NaviSearch

BullGuard Antivirus Forum > General Security > Spyware > Cashback, Bargin, NaviSearch

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-12-2004 12:51 (GMT +1)

I'm become increasingly fustrated with with these three programs/spyware apps. or what ever the hell they are... I have constantly removed them using Highjack this, Ad aware and Spy Bot,, the going into my reg. edit. and removing the suspicious files manually... I also remoeve all program files and the like too... Adn every time i re-start my comp and open up Explorer the lil damn dog pops up in my tray... I'm lost now anyone out there with any ideas....

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13599

Posted 10-12-2004 5:50 (GMT +1)

Hey Mania

Post a hijackthis log file, in this thread ;-)

Touch

Proud member of:

ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-12-2004 5:48 (GMT +1)

Logfile of HijackThis v1.97.7
Scan saved at 12:47:15 PM, on 10/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aaron Mania\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\system32\searchsetter[1].exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab

My HJT log as of Oct. 12, 2004 12:47 EST.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13599

Posted 10-12-2004 6:08 (GMT +1)

Download this scanner: http://www.mwti.net/antivirus/free_utilities.asp
Use link nr.7 activate all in settings, run it.

Scan with Hijacktis, close all other windows, put a checkmark to these, and fix:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\system32\searchsetter[1].exe

Show hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Boot to safe mode – F8

Find and delete these files:
C:\WINDOWS\system32\nvms.dll
C:\WINDOWS\system32\mscb.dll
C:\WINDOWS\system32\msbe.dll
C:\WINDOWS\system32\searchsetter[1].exe

C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\BullsEye Network\bin\bargains.exe

Reboot, and tell how things goes

Touch

Proud member of:

ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-13-2004 12:45 (GMT +1)

well i've followed all of your steps and yet i still see that damn little dog in the lower hand corner.... i still have bargains.exe , cahsback.exe , and nls.exe (NaviSearch) in my task manager, I downloaded the scanner and scanned my whole laptop... 80615 Total files, 6 Viruses, 2 Files Deleted, 4 Files Renamed, and 4 errors, Time 2:01:28... When I rebooted in safe mod I found and delted all files except C:\WINDOWS\system32\searchsetter[1].exe . do I need to just delet the .exe files of the whole folder? Do it matter?.... So for al lof this constant nagging but, I've tried everything imaginable and i am nit getting a little parnoid about that little dog.... Thanks Touch for all you have done so far and I hope you will continue to help...

BTW: What can I do with the backups and logs on my comp left from the scanner and HJT...

The One The Only,

Mania^c

Post Edited (Mania) : 10/12/2004 11:52:07 PM GMT

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-14-2004 1:07 (GMT +1)

Anyone with any new suggestiong since the last comments didn't not work? Thanks again...

The One The Only,

Mania^c

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13599

Posted 10-14-2004 2:07 (GMT +1)

"What can I do with"...delete them ;-)

Rightclick on, in Taskmanager:

nls.exe
cashback.exe
bargains.exe

And end proces

See if you can delete them now, from Safe Mode?

And run these:

Download newest Spybot Search and Destroy here : http://www.safer-networking.org/index.php?page=mirrors if it is not already installed on your computer
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the Immunize "Scan System" button. When the Check is over, fix all marked with red

Adware: http://www.lavasoftusa.com/support/download/#free

we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).

Click on the Gear icon (second from the left) to access the preferences/settings window

In the General window make sure the following are selected:
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Click on the Scanning button on the left and select :
Scan within archives
Scan active processes
Scan registry
-Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
Under Select drives & folders to scan, choose:
Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
Include additional object information
Include negligible objects information
Include environment information
Click the Tweak button and select:
Under the Scanning Engine:

Unload recognized processes & modules during scan
Under the Cleaning Engine:Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose:
Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).

Plug-Ins for Ad-Aware (VX2 Cleaner)
Download the free VX2 Cleaner here : http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml

Close Ad-Aware SE build 1.04 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.04
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.

If your computer is infected:

Select “Clean System”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Touch

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-14-2004 8:53 (GMT +1)

Ok, Touch I've followed all of you instructions step for step, I even printed out your instructions and red them and checked the off that way.. And yet it still does not work, every time I re-open IE even If I manually end the processes in my task manager I still get the cashback dog in the icon tray and then the processes show up in my task manager again. Any other ideas... Touch thank you soo much for all of your help so far...

Mania

The One The Only,

Mania^c

Bloody Tinfoil
New Member

Date Joined Oct 2004
Total Posts : 4

Posted 10-18-2004 3:59 (GMT +1)

I too am having this problem, i have posted my Hijack This log file in my own thread elsewhere, Help would be greatly appreciated!

Bloody Tinfoil
New Member

Date Joined Oct 2004
Total Posts : 4

Posted 10-18-2004 5:10 (GMT +1)

Well i just figured it all out!!

Basically this is what you do,

First off, start your computer in safe mode.

Go to Control Panel-> Administrative Tools -> Services.

In the list that comes up there will be an entry called ISEXEng. Going into it's properties and disable it. You can also see that it is trying to start a program called angelex.exe. Go into your default hard drive -> windows -> system32 and delete angelex.exe.

Now clean your machine using everything you've got. I used Ad-Aware's latest Ad-Aware SE Personal edition and the latest possible Spybot. After cleaning the computer with everything you can throw at it. Restart and it shouldn't be there anymore.

I hope this helps people out. I'm going to go post this on other forums and posts that have the same complaint as this as it seems to be very widespread. I've been to about 20 forums now and only one had this answer. it was msmont from the lavasoft support forums who had the answer.

Thank you for all your support and help!

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-20-2004 1:34 (GMT +1)

Can anyone else verify this?

The One The Only,

Mania^c

Mania
New Member

Date Joined Oct 2004
Total Posts : 8

Posted 10-20-2004 5:56 (GMT +1)

Well Forget that last reply, It works for me , Thank you soo much, TOUCH thank you sooo much for all you have suggested, Bloody thanks for your suggestion, it worked and my comp is running Nice, thank you all soo much roll

The One The Only,

Mania^c

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13599

Posted 10-21-2004 5:53 (GMT +1)

My pleasure smilewinkgrin

For safer surfing:

http://www.javacoolsoftware.com/spywareblaster.html

http://www.javacoolsoftware.com/spywareguard.html

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.unhsolutions.net/IEPK/index.shtml

And please read this

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Thursday, November 20, 2008 10:38 PM (GMT +1)
There are a total of 63.948 posts in 15.824 threads.
In the last 3 days there were 34 new threads and 164 reply posts. View Active Threads