Help Please!!

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Follow the directions in my post and attach it to your message in this thread.

Did you run the online scans?

 

Did you buy SpywareKiller? If not it may not be of much use to you.


Do you know what this Backup4all item is? It seems suspicious to me.
C:\Program Files\Backup4all\B4AOTB.exe
O4 - HKCU\..\Run: [Backup4all OTB Agent] C:\Program Files\Backup4all\B4AOTB.exe

You should look in Add/Remove programs for any of the following and uninstall if found:
Gator
Gain or Gain Bundle
Cosmi or HelpExpress
MyWay or MySearch


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {018629B6-E3CD-1F9F-732A-5A7FE7567F53} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {3A045F25-47A6-62EF-DA8E-AB72B750D49A} - C:\DOCUME~1\DOUGMC~1\APPLIC~1\MEDIAC~1\plus iso.exe
O2 - BHO: (no name) - {61C7AA83-DA78-66B7-8CB7-B09473854C56} - C:\DOCUME~1\DOUGMC~1\APPLIC~1\MEDIAC~1\plus iso.exe
O2 - BHO: CSObj Class - {CD209A08-98B5-4669-AF9F-447AC5253356} - C:\WINDOWS\System32\CSapp.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
O9 - Extra button: Shaw Help - {5842C81B-353B-4DF0-8FEF-6C4FB4F4C75F} - http://support.shaw.home.com (file missing) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c3.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10e1d485f8899d9d4e06/netzip/RdxIE601.cab


And if you do not recognize the items below, fix them too:
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://205.200.6.78/activex/AxisCamControl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\DOUGMC~1\APPLIC~1\MEDIAC~1 <--- the whole folder (this is a shortened file name, you have to determine the real full path)
C:\WINDOWS\System32\CSapp.dll
C:\Program Files\Cosmi <--- the whole folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Your log is clean! If you cannot access the folder in safe mode, try doing it in normal boot mode. It is surprising that you cannot access it in safe mode.

 

You must remember to exit all browsers before running HijackThis. You had this running.

C:\Program Files\Internet Explorer\iexplore.exe

Having IE running can make it difficult to repair problems. That is why we ask that all browsers be shut down before using HJT. Did you shut it down last time?

 

Try running IE and click on Tools and select Manage Add-ons
See if you find it list in there. If so, delete it.

At any point did you have Messengr Plus installed on this PC?


Is the below your expected Start Page? Shouldn't it be ca.yahoo.com ?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/

Are the below two lines with home.excite.ca something you expect to work? I do not believe it is a valid URL?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.ca
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca

 

I'm not sure what you mean! Explorer cannot be turned off. It is your main startup shell.
If you were referring to one of my previous messages where I said you had the below running:
C:\Program Files\Internet Explorer\iexplore.exe

This is not explorer. It it is Internet Explorer. There is a difference. Your log did show it running so I would suggest you double check to make sure you closed ALL browsers. Then check you HJT log. If you see iexplore.exe still running, you should tell us. This does happen with various malware infections.

Please answer my other questions and di you look at Manage Add-ons ?

 

You're welcome!