0

Hi, My computer has been infected with a bullseye network, cashback, and navisearch program and it recently had this nasty coulomb dialer on the computer. I tried every method to get rid of these junk, but it keeps on coming back. Does anybody know how to remove them?

Thanks in advance.


Thiis is my hijack log below:

Logfile of HijackThis v1.99.0
Scan saved at 8:14:17 PM, on 2/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ucla.bak\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96EBAFD0-06C9-4250-AC32-7FAC61B2D435}: Domain = sbcglobal.net
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

3
Contributors
3
Replies
4
Views
11 Years
Discussion Span
Last Post by tayspen
0

Hi, first off this should go in the spyware forums. Second i belive this line

C:\Documents and Settings\ucla.bak\Desktop\HijackThis.exe

Means you are running it from your desktop. It needs to be in its own folder. Also the log looks a bit short...or is that just my imagination. Make sure you posted the whole thing.

-T

0

Means you are running it from your desktop. It needs to be in its own folder.

what wrong with running it from your desktop? your desktop is a folder! it just means all the back up files will appear on your desktop... if you dont want them... just delete them... there is no problem with hijackthis running from the desktop. it wil fucntion just fine...

as for the problem... here is a list of stuff you need to do to remove it.

first... close all open windows
then you need to unregister cfgmgr52.dllso you can remove everthing.

start -> run -> cmd.exe
enter in: regsvr32 /u cfgmgr52.dll

then check the following boxes and let HJT do its thing.


O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O15 - Trusted IP range: (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{96EBAFD0-06C9-4250-AC32-7FAC61B2D435}: Domain = sbcglobal.net
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)

edit: make sure you delete cashback.exe, nls, bargains and cfgmgr52.dll

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.