Need Help with hjt log plz

You should have read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

And my Generic Solution thread does not apply to your problems!

 

First go to Add/Remove programs and look for an uninstall to WebRebates. If you find one, uninstall it and let me know that you found it and if it worked. Also do this for the SpyDeleter problem, do the below:

Click Start, Run, and enter into the box the following without the quotes "Notepad"
Now copy and paste the contents the next 3 lines (including the blank line) into the notepad window.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]


Now save it as file name: "delspy.reg" (without the quotes).
Use Save as file type: All files (*.*)
Save it on your Desktop where it is easy to locate.

Now on your Desktop double-click on delspy.reg.

At the prompt "Do you wish to merge the information into the registry?"
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

 

Do you know what this beta.byteswarm.com line is for?
O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab

 

Leave ZoneAlarm & Norton running unless we request it to be shut down. I think I will update the tutorial to specifically say leave them alone unless asked.

 

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and right click on them and select End process tree:
SyncroAd.exe
wship6.exe
bargains.exe


Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\2_0_1browserhelper2.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\nvms.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\mscb.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\msbe.dll
then click OK. If a dialog box confirming this action appears, click OK.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: AceGain DLInterceptor - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKCU\..\Run: [wship6] C:\WINDOWS\System32\wship6.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8953c90b23b7fc1
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.com/ist/softwa.../ist_remove.cab
O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab


Boot in safe mode and use Windows Explorer to delete:
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll
C:\Program Files\Windows SyncroAd <-- the whole directory
C:\WINDOWS\System32\wship6.exe
C:\Program Files\BullsEye Network <-- the whole directory

Now reboot in normal mode and post another log (attachment please) and tell how things are working.

 

Yes! You should look for it in Add/Remove programs and uninstall it. Look for BullsEye Network or Bargains. Also Webrebates is still there. I thought you uninstalled it. Also a couple of O2 BHO DLLs I ask you to fix in HJT and delete the files are still present. Did you have any problems running my previous steps? You need to provide feedback on steps we ask you to run.

Kill the bargains.exe process with Task Manager.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Mmgsvc] C:\WINDOWS\mmgsvc.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [Mmgsvc] C:\WINDOWS\mmgsvc.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

Boot in safe mode and delete:
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll
C:\Program Files\Web_Rebates <---- the whole directory
C:\Program Files\BullsEye Network <---- the whole directory
C:\WINDOWS\mmgsvc.exe

Boot normal mode and provide feedback on these steps. Post a new HJT log.

 

Please check Add/Remove programs for Bargain Buddy (or anything similar)?

Please post another HijackThis log. Do not make any changes yourself to anything. Also please leave your PC running until you hear back from me. (You can disconnect from the Internet for safety and shut off your monitor. Just leave the PC on.)

 

But did you look for Bargain Buddy?

 

These lines are still in your log and the files are still on your PC:
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

Go back and look at the steps I asked you to do in messages # 8 and #10. and do them again. This time give me some results on what happens.

 

Did you also delete the files using Windows Explorer?

Reboot and see if the appear in a new HJT log?

Okay so now where do we stand with Bullseye Network/bargains.exe

 

Okay let's try this again but with a slightly different procedure.

You will need to print these instructions because after reading this sentence you MUST exit ALL browser sessions and physically disconnect from the internet (that means unplug the ethernet cable from your DSL or Cable modem from your PC. For analog modems, unplug your phone line. ) This is done to make sure nothing can get in or out of your PC even though you don't see it happening.

Okay, exit your browsers (including this one) and unplug you cables NOW! DO NOT OPEN ANY BROWSER WINDOWS AGAIN until told to and only run what I specify and nothing else.

Make sure you boot into safe mode!

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\nvms.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\mscb.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\msbe.dll
then click OK. If a dialog box confirming this action appears, click OK.

Tell me the results of each of those three regsrv32 commands.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it (if found):
bargains.exe

Tell me if you found it and were able to end it.

Use Windows Explorer to delete:
C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll
C:\Program Files\BullsEye Network <-- the whole directory

Tell me the results of each of those file/directory deletions.

While in safe mode run HijackThis and select the following lines and then click FIX
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll


Now reboot in normal mode, reconnect your cables and post another log (attachment please) and tell how things are working. Don't forget to give me all the results that I asked for.

 

Are you saying when you booted in safe mode bargains.exe was not running but when you got back to normal boot mode it was running?

And now all the files and the directory are back too?

 

First make sure your in a state where bargains.exe is running. Then do the following:

Download ProcessExplorer from: http://www.sysinternals.com/files/procexpnt.zip

Unzip it and now run ProcessExplorer and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on bargains.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

This is why we ask for feedback. We always need to know exactly what happens. We cannot see what it happening. This is important information that I did not know.

 

Okay this time we are going to start in normal mode! And this has to be run when you see the problem with bargains.exe is

showing. This is going to be some repetition from before but since the problem came back, we have to do it all again but with some additional steps to try to get rid of the pest once and for all (I hope). Make sure you report the results for each step. You need to print or copy this information locally because we are going to end all Internet Explorer sessions and your Explorer shell very soon. When we end the shell your Desktop will be missing all of the icons (don't panic - this is normal behavior). Do not run any programs other then the ones requested. I also suggest you read thru all of it first to make sure you understand how to do all these steps. Ask questions before starting!

1) Physically disconnect you ethernet cable that connects your DSL or Cable modem to your PC. If you have an analog modem (dial-up), disconnect the phone. DO NOT SKIP THIS STEP!!!
2) Exit ALL Internet Explorer and any other browser sessions NOW!
3) Click Start, Run, and in the Open box enter "cmd" without the quotes and then click OK or press Enter. This should open up a

command prompt window.
4) In the command prompt window enter the following three commands each followed by the enter key. Click OK if a dialog box

confirming this action appears.

regsvr32 /u C:\WINDOWS\System32\nvms.dll
regsvr32 /u C:\WINDOWS\System32\mscb.dll
regsvr32 /u C:\WINDOWS\System32\msbe.dll

Leave the command prompt window open!

5) Open Task Manager by pressing CTRL-ALT-DEL simultaneously. Click the "Processes" tab, and then find the bargains.exe process

and end it. Watch the processes window for a minute and make sure it does not come back. If it does, kill it again and tell me

about it. That you had to end it a second time.

Exit Task Manager.

6) Run HijackThis and select the following lines and then click FIX
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

Now exit HijackThis.

7) Now open Task Manager again by pressing CTRL-ALT-DEL simultaneously. Click the "Processes" tab, and then end ALL instances of

iexplore.exe and then explorer.exe. After ending any iexplore.exe and explorer.exe processes double check for bargains.exe

again. If found, end it again. (Let me know if you find it running here.)

At this point you should have noticed that your desktop is gone. No icons etc. DO NOT EXIT TASK MANAGER THIS TIME.

8) Next, click on the "Applications" tab of Task Manager, select C:\WINDOWS\System32\cmd.exe and click "Switch to".

9) Now type in the following command lines each followed by the enter key. Make sure you keep track of what happens here we must be sure these files get deleted.

cd C:\WINDOWS\System32
attrib -r -h -s nvms.dll
attrib -r -h -s mscb.dll
attrib -r -h -s msbe.dll

del nvms.dll
del mscb.dll
del msbe.dll

cd C:\Program Files\BullsEye Network <-- Make sure you command line prompt shows you that you are in this directory.
attrib -r -h -s *.*
dir <-- You should see the bargains.exe file. Make note of what else you see.
del *.* <-- click yes to confirm the delete of all files
cd .. <-- this is a cd followed by a space followed by two periods.
rd C:\Program Files\BullsEye Network\ <-- don't forget the ending \

Tell me the results of each of those file/directory deletions.

10) Close the command prompt window (by typing exit or by clicking on the X at the top right) and then switch back to Task Manager

again by pressing CTRL+SHIFT+ESC simultaneously until you get back to Task Manager.

11) In Task Manager click on the "File" menu and choose "New Task"

12) In the window type explorer and then press "OK" to reopen the Windows shell

13) Now reboot in normal mode, reconnect your cables and post another log (attachment please) and tell how things are working. Don't forget to give me all the results.

 

I said you need to have the bargains.exe problem when you start the steps. You are not suppose to end it until I tell you to do that which is in step 5. Also the files from step 6 should have been there if bargains.exe had been running as I stated.

Try again following the procedure as written.

I don't understand something. You said you

"changed the drive to C:\Windows\bullseye network , and used the attrib command (no alert came up). i used the dir command, but couldn't see bargains.exe*. i did, however, find these:
ad.dat
ub.dat "

Since when is Bullseye Network in the Windows folder. We have only been seeing reports for it in C:\Program Files\Bullseye Network .
If you see it in C:\Windows we need to remove that folder too. If there is a bin subfolder you will need to cd to it first and del all files in the bin folder. Then cd .. and rd bin. Then cd .. and rd "Bullseye Network" with the quotes

 

Okay can you go back and make sure all the files in that Bullseye Network folder get deleted. Also the bin folder too. As I said in my last message:

If there is a bin subfolder you will need to cd to it first and del all files in the bin folder. Then cd .. and rd bin. Then cd .. and rd "Bullseye Network" with the quotes

And after step 12, empty the recycle bin and c:\windows\prefetch folder too.

 

Okay! Let me know! Did you empty the recycle bin and windows prefetch?

Did you double check to make sure the DLL file are still gone?

 

It certainly appears that way Kodo. There seem to be a lot of these appearing lately. What do you think about trying a solution like you gave Kittee

 

OK!

Champagne, please try the below possible solution Kodo has come up with. However just prior to doing that you should perform the steps we have been using to get rid of the Bullseye stuff. Just do not reboot or run any thing else afterwards. So here is what we are going to do.

First download Kodo's RESTORE.ZIP . It has an SP1 explorer.exe file within it along with a batch file (a .bat file). Extract the batch file onto the root of C:\ such that it's path is C:\restore.bat . Then place Kodo's version of explorer.exe also in the root of C:\ such that its' path is C:\explorer.exe

Now we need to fix the BullsEye stuff again. So what you need to do is go back to message number 30 and run all the steps up to and including 10. Then use these new steps below to finish the procedure:

11) In Task Manager click on the "File" menu and choose "New Task" and type C:\restore.bat and hit enter.

12) Now go to file ..new task and type Explorer.exe then press "OK" to reopen the Windows shell

13) Now reboot in normal mode, reconnect your cables and post another log (attachment please) and tell how things are working. Don't forget to give me all the results.

 

Yes if they were gone already it is basically not necessary. Also you meant regsvr32 /u filename. Right? regsvr32 filename would register the files.

 

I'm not sure! It could be!

I want to try something that we may have been missing. The last HJT log you posted had this line in it:

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

Please run HijackThis again and do all the fixes how we have been doing them for the BullsEye crap and include the above line to be fixed too.

Also when you boot to safe mode to delete files locate:
C:\Program Files\NaviSearch\bin\nls.exe
and rename it to:
C:\Program Files\NaviSearch\bin\nls.BADexe

I don't want to delete it yet. Until we are sure what it is. I think it may be part of the problem.

Then boot in normal mode and open and close Windows Explorer and Internet Explorer a coupld of times. Then post a new HJT log.

 

You forgot to post a new HJT log and did yo rename the nls.exe file.

Do not shutdown bargains.exe if you see it running. We need to see it in your log.

I also want you to bring up Task Manager and look for bargains.exe to be running. If it is not running, keep Task Manager open and open an Internet Explorer session or Windows Explorer session (whatever is necessary to make it appear in Task Manager). Now leave Task Manager running and open up a command prompt window as we have done before.
Now in Task Manager watch bargains.exe as you end all explorer.exe sessions and iexplore.exe sessions. I want to see if ending any of them causes bargains.exe to stop running. Let me know if ending any of these also ends bargains.exe (also tell me which one).

If you wound up ending your Window shell (explorer) above then get it back by switching back to Task Manager by pressing CTRL+SHIFT+ESC simultaneously until you get back to Task Manager. In Task Manager click on the "File" menu and choose "New Task". In the window type explorer and then press "OK" to reopen the Windows shell.

Then come back and tell me the results.