Golden Retriever Cash Back… what is this? PLEASE HELP!
azzzul
New
Hi again short media team 
You have helped me cleaning my PC and I thank you so very much for that!
But then another thing came up… I posted my question in my old thread but I think it is getting forgotten so – sorry
– but I MUST start a new one.
Please DELETE or CLOSE the other thread started by “azzzul” so that it won’t clutter the forum.
I’ll copy/paste what I posted there:
I have been cleaning my PC... uninstalling stuff... and then in the "add remove programs" list I saw "golden retriever cash back" and I don't know what it is but it sure looks suspicious????
I’ve been told by SVT Team that it is spyware and that I should uninstall it but when I tried to uninstall that «golden retriever cash back» through windows add remove programs it popped a small «confirm uninstall» window looking like this...
it had an image with a code on the top of the window
Should I do that????
I think we shouldn't press any "ok"s when dealing with this spyware stuff???
:bawling: I’m really scared about this thing because I can’t see any files in my harddrive… could it be here collecting my data??
Should I format my disk?
Thank you so much again!
You have helped me cleaning my PC and I thank you so very much for that!
But then another thing came up… I posted my question in my old thread but I think it is getting forgotten so – sorry
– but I MUST start a new one.Please DELETE or CLOSE the other thread started by “azzzul” so that it won’t clutter the forum.
I’ll copy/paste what I posted there:
I have been cleaning my PC... uninstalling stuff... and then in the "add remove programs" list I saw "golden retriever cash back" and I don't know what it is but it sure looks suspicious????
I’ve been told by SVT Team that it is spyware and that I should uninstall it but when I tried to uninstall that «golden retriever cash back» through windows add remove programs it popped a small «confirm uninstall» window looking like this...
You are removing the cash back
from ShopAtHomeSelect.com.
If you really want it
enter the text from the image and press ok
from ShopAtHomeSelect.com.
If you really want it
enter the text from the image and press ok
it had an image with a code on the top of the window
Should I do that????
I think we shouldn't press any "ok"s when dealing with this spyware stuff???
:bawling: I’m really scared about this thing because I can’t see any files in my harddrive… could it be here collecting my data??
Should I format my disk?
Thank you so much again!
0
This discussion has been closed.
Comments
Please post a new hijackthis log and we'll take a look.
and that weird password that they ask me to type... is it possible to post images here? I'd post a screen capture of that dialog box if I could?
Here's the new hijackthis log:
(that red line, I have already deleted it for 3 times now, but it always gets back there)
Logfile of HijackThis v1.99.0
Scan saved at 0:43:28, on 17-02-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programas\HP\hpcoretech\comp\hptskmgr.exe
C:\Programas\Messenger\msmsgs.exe
C:\Documents and Settings\Luiza Alves da Costa\Os meus documentos\FicheirosInstalação1\spy\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{63156E5A-F67D-445E-A7E0-DD0C10C2D022}: NameServer = 194.65.100.117
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programas\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
Thanks again for the answer
That's the only thing that I see in your log. Are you having any problems?
Run Adaware one more time and let me know what it comes up with.
don't know how... didn't even know I had it enabled
«That's the only thing that I see in your log. Are you having any problems?»
since you helped me cleaning this PC that all is well, I mean, no pop up windows or anything like that
I just saw that weird «Golden Retriever Cash Back» line in my add remove programs list and I don't know how it got there???
should I accept the uninstall offer and write the password and hit ok?
let me see if I can post the image here...
I uploaded the image and it seems to be attached but I can't preview it?
Right click the running icon of spybot's teatimer, and choose exit.
Then follow the rest of the instructions from the previous post to remove that 02 line.
Download Ad-aware SE from: http://www.majorgeeks.com/download506.html
Install the program and launch it.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives
Click on the Advanced button on the left and select:
* Include additional process information
* Include additional file information
* Include environment information
Click the Tweak button and select:
* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot
Click on Proceed to save the settings.
Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
* Use Custom Scanning Options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Save the log file when it asks and then click Finish
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Reboot your computer and post a new hijackthis log.
Ok, I did all you asked…
1) Turned off spybot resident
2) Fixed that “no file” entry through hijackthis
3) Configured Adware SE (I already had that version, and updated) as you told me to (although some of those lines were a bit different in my version???)
4) Ran adware and deleted 1 critical object (a “cookie” it said there)
5) Reboot the PC and here is the new hijackthis log:
Logfile of HijackThis v1.99.0
Scan saved at 15:16:14, on 20-02-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programas\HP\hpcoretech\comp\hptskmgr.exe
C:\Programas\Microsoft Office\Office10\WINWORD.EXE
C:\Programas\Messenger\msmsgs.exe
C:\Documents and Settings\Luiza Alves da Costa\Os meus documentos\FicheirosInstalação1\spy\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programas\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
As you can see that red “no file” line is still there…
Now please tell me something… everytime windows starts this small window shows up
I always “deny change”, should I allow?
And of course the «Golden Retriever Cash Back» is still in the add remove list
Thanks
Between Spysweeper and TeaTimer the removal of that BHO is being blocked. Of course it does not really matter because the file that was associated with that BHO is long gone so it's really just a matter of cleaning up. If you really want it gone I would uninstall Spysweeper and Spybot, then use hijackthis to remove it. Then you can reinstall Spybot and Spysweeper.
In order to clean that entry off your add/remove programs listing you will have to edit the registry. Follow the directions at this link to do that.
http://support.microsoft.com/default.aspx/kb/247501?
That microsoft link solved it! Golden Retriever Cash Back is GONE!
Thank you so much for all your help!!!
I hope I won't be needing to get rid of all this trash spyware
But it sure feels good to know that you Short Media guys are out there and always ready to help us...great job!!!
See you