Nellie 2, or naybody else that can help on adware

  RamUK 19:59 18 Jul 04

You kindly helped me get rid of some adware garbage 2 or 3 weeks ago. It did get rid of the majority but it has left me with a residue. Every time I boot up it still takes me to that page again. This only happens on initial boot up and a click on my home page rectifies things and there's no longer any problems with pop ups or re-routing.

I have checked the start up folder and there's nothing there although there is something called a shopping wizard in my programmes that wasn't there before and will not let me delete it.

Any ideas?

  Fruit Bat /\0/\ 22:20 18 Jul 04

You don't say what the adware is, here is a selection of progs for getting rid of Spy/AD ware

I use three Spywareblaster, Adaware and Spybot S&D that seems to cover most stuff.

Anti Spyware :-
Spywareblaster click here
Adaware click here
Spybot S&D click here
a2 click here
Ccleaner click here
CW Shredder click here
Purity Scan removal click here
Incredifinf removal click here

  Nellie2 12:04 19 Jul 04

Hi Ramuk

Could you give me the path for the shopping wizard thing.. you know C:/windows/etc ect.

Also update your version of hijackthis, by clicking on config,misc tools then check for update on line... we are on version 1.98.0 now.

Post a fresh hijack log with the new version, if you have disabled anything using msconfig, including the shopping wizard, could you re-enable them for now.. reboot and then run hijackthis for the log... thanks :)

  RamUK 20:44 19 Jul 04

Nellie, when I download the newer version of HJT (I am on 1.97.7) it keeps telling me after the download that the zip file is corrupted. I've now done this 3 times without any luck.

As for the Shopping Wizard, I can't find the file path whatsoever. I've done several manual and automatic searches but it appear to be nowhere except in my add/remove list. Even in there, there is little info regarding file size etc.

Should I run hjt anyway?


  Nellie2 23:10 19 Jul 04

Here is an exe download for you... saves unzipping it :) click here

  Nellie2 23:11 19 Jul 04

ps... if shopping wizard is in add/remove, have a go at uninstalling it

  RamUK 22:37 20 Jul 04

The version that links to Nellie just appears to download the version that I already have ie 1.97.7. I've run a hjt log see results below if that helps.

BTW, the shopping wizard can not be installed through add/remove I just get the message saying unable to open url.

Logfile of HijackThis v1.97.7
Scan saved at 10:31:49 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Popup killer for IE\PUKctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

  RamUK 22:38 20 Jul 04

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = click here
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E600446-2123-4CC9-A69D-7EEC55AB9956} - C:\Program Files\Popup killer for IE\PUK.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Internet Explorer.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

  RamUK 22:38 20 Jul 04

START_PAGE_URL=click here
O16 - DPF: ChatSpace Full Java Client - click here
O16 - DPF: Yahoo! Chat - click here
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - click here
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - click here
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - click here
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - click here
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - click here
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - click here
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - click here
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{09A1D5B9-7F3B-490A-A400-DA166DC481DE}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{09A1D5B9-7F3B-490A-A400-DA166DC481DE}: NameServer =

  woodchip 22:42 20 Jul 04

It's in the Registry. Try this Where the XXXXX is you need to insert the Name of the Program.

To remove follow these step's closely, go to start\find\files or folders type in the box XXXXX click enter key delete all the entry's it finds with XXXXX in it. Next go to start run type regedit and press enter, go to menu under edit click find in the box type XXXXX and press enter it will bring up only one entry at a time, press delete key then click ok to confirm to go to next entry press F3 and delete do this until you get to the end of the registry. DO NOT TOUCH ANYTHING ELSE IN THE REGISTRY other than XXXXX then reboot your computer

  Nellie2 23:02 20 Jul 04

It isn't showing up in your hijack log, you can download the newer version from click here Could you post a hijackthis start up log?... unless you want to follow woodchips advice... but make sure you back up your registry first

This thread is now locked and can not be replied to.

Microsoft Surface PC release date, price and specs: All-in-one Surface PC to directly rival iMac

1995-2015: How technology has changed the world in 20 years

Best Photoshop video tutorials: 8 video tutorial websites for Photoshop

Apple's event invitations decoded: A look back at 16 of Apple's most cryptic invites | Clues in…