Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

eZula, CoolSavings, WUpd, and more..

Started by Natural , Mar 23 2005 12:49 PM

Please log in to reply

#1
Natural

Posted 23 March 2005 - 12:49 PM

New Member

Member
4 posts

I am using Windows ME and I already ran AdAware SE Edition, Spybot S&D, CWS Shredder and NONE of them found these spywares!!

Ran Pests Scan (Pest Patrol) and it found 8 infected locations as follows:

- eZula TopText-Adware at C:\WINDOWS\system\stub.exe
- OnFlow-Adware at C:\Program Files\internet explorer\plugins\onflowplayer0.dll
and at C:\Program Files\intern~1\plugins\onflowplayer0.dll
- IPInsight - Browser Helper Object at C:\WINDOWS\sentry.ini
- TightVNC- Commercial RAT at hkey_current_user\software\orl
- Gator/GAIN/Claria - Adware at hkey_current_user\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\gator
- CoolSavings- Adware at
hkey_local_machine\software\microsoft\windows\currentversion\shareddlls

and hkey_local_machine\software\microsoft\windows\currentversion\moduleusage\C:/windows/downloaded program files/cpnmgr.dll

couple days ago I also ran Panda Online Scanner and it found 2 spyware : eZula & WUpd but did not disinfect them.

The Panda scan result :

- Adware:Adware/eZula No disinfected
at C:\WINDOWS\SYSTEM\stub.exe

- Adware:Adware/WUpd No disinfected
at
C:\ProgramFiles\Support.com\backup\6C\6CF1BFA6d01\ 27176_576d0fd84_[6CF1BFA6d01]

I looked up "TopText" or "HOTtext" and similar program in the Add/Remove Program but they're not listed there. There are only few programs in my Add/Remove panel.

I also found eZulains.exe in C:\Windows

Here is my HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 5:12:56 PM, on 3/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\DOWNLOADS\WINPATROL.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\DOWNLOADS\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealye...ve/ezlistng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409

Please help me what to do cause I already run AdAware SE editon, SpyBot Search & Destroy, CWS shredder & they found nothing! :tazz:

Thanks in advance!
Your help will be greatly appreciated!!

#2
Natural

Posted 24 March 2005 - 09:26 AM

New Member

Topic Starter
Member
4 posts

anyone can help me please?? :tazz:

#3
starjax

Posted 24 March 2005 - 10:02 AM

Global Moderator

Global Moderator
6,678 posts

ok please follow the steps listed here: http://www.geekstogo..._Log-t2852.html

both spybot and adaware will detect and remove ezula. You need to make sure your definitions are updated. I recomend that you run the adaware scan in the deep scan mode.

Repost your HJT log, It looks like not all it was posted previously.

thanks,
Starjax

#4
Natural

Posted 24 March 2005 - 02:37 PM

New Member

Topic Starter
Member
4 posts

Starjax thank you for your reply..
I ran (again) Adaware (the deep scan one) & spybot search & destroy but they found NOTHING..

Then I ran PestScan again (PestPatrol) and they're still there..

And I try to look for eZula at the Add/Remove Program (in control panel) but it's not listed there...it's strange because there's only few of the programs there.. I mean most of my programs are not listed in the Add/Remove program..is it normal?

Please advice what to do.

Thanks in advance!
Dont know what to do now... :tazz:

Here is my HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 3:25:08 PM, on 3/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\DOWNLOADS\WINPATROL.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\DOWNLOADS\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab

#5
starjax

Posted 24 March 2005 - 05:58 PM

Global Moderator

Global Moderator
6,678 posts

I pulled the following from whirlyweb Go there
and it will do an autoscan. followed by the info below. you will need to use Internet Explorer. below is the manual removal methods:

If you ever had eZula TopText installed, you used Control Panel > Add/Remove Programs to uninstall it, just like eZula says to do.
However, you still have the most hideous part of all on your system -- the eZula auto-downloader/installer. It can instantly download TopText and reinstall it, without your consent. Apart from the innocent looking tray icon flashing up, and a strangely behaving browser for a couple of seconds, the reinstall is totally unnoticeble. Most users will never know what hit them.
This component is called stub.exe and is located in the Windows' System folder. Its name, location and the fact it remains after an uninstall proves the trojan-like nature of eZula's scumware.
The installer/downloader can be ignited by just a single line of HTML code on any Internet page -- not even relying on Javascript.
We tried to find one, but there's no reliable way to detect now if this component is resident on your system. Touching it is enough to start the automatic download/install.

You don't believe it? If you ever had eZula TopText installed, clicking here will instantly reinstall it! No code whatsoever will be downloaded from our Web site; the necessary code to contact eZula + download + install is already there on your system! If you dare to do it, you'll see a sneaky tray icon pop up. After the icon disappears, do a page refresh, and you'll see that TopText is detected again.

Ad-aware
Apart from doing the cleaning with your bare hands, you can also download Lavasoft's free Ad-aware tool. Apart from removing eZula from your system, Ad-aware cleans a whole myriad of spyware.

How to manually remove eZula's downloader/installer.
See if you have stub.exe or ezstub.exe on your system. Do a search on you hard drive for 'stub.exe ezstub.exe'. You'll find it in Windows' System or System32 folder. ezstub.exe can be found in the Program Files folder.
If there's no file like that, about 52K in size, you don't have the downloader/installer. (Some may find a 'stub.exe' in the CuteFTP folder - don't delete that one!)
Open a command prompt (aka DOS window) and go to the directory stub.exe or ezstub.exe is in.
Type this (hit enter at the end of each line):
stub.exe -UnregServer
del stub.exeOr if you found ezstub.exe:
ezstub.exe -UnregServer
del ezstub.exeThe most vicious eZula component is now removed from your system.

How to remove eZula's Web downloader/installer.
If you downloaded TopText from eZula's Download Site, you have an additional downloader/installer on your system. Again, we can't detect if it's on your system: touching it is igniting it.
Here's how you can find out whether you have it, and how to install it:

See if you have ezulaboot.dll on your system. Do a search on you hard drive for ezulaboot.dll. You'll find it in Windows' Downloaded Programs folder.
If there's no file like that, you don't have the Web downloader/installer on your system.
You'll need regsvr32.exe for removal. Do a search on your hard drive for regsvr32.exe. You'll find it in Windows' System or System32 folder. Take note of its path.
Open a command prompt (aka DOS window) and go to the directory ezulaboot.dll is in.
Type this (hit enter at the end of each line, the path to regsvr32.exe may differ if you're not on Windows NT/2000):
C:\WinNT\system32\regsvr32.exe -u ezulaboot.dll
del ezulaboot.*eZula's Web installer is now removed from your system.

try this before I move to the next step.

Starjax

#6
Natural

Posted 24 March 2005 - 09:29 PM

New Member

Topic Starter
Member
4 posts

Thanks Starjax now the eZula is gone!
Like I said because I can not find eZula in Add/Remove program, I just deleted the stub.exe on command prompt (DOS). Luckilly I don't have ezstub.exe or ezulaboot.dll. And I do PestScan again and eZula is gone.

Now waiting for your next instruction for others spywares:

- eZula TopText-Adware at C:\WINDOWS\system\stub.exe------->>SOLVED!!

- OnFlow-Adware at C:\Program Files\internet explorer\plugins\onflowplayer0.dll
and at C:\Program Files\intern~1\plugins\onflowplayer0.dll
- IPInsight - Browser Helper Object at C:\WINDOWS\sentry.ini
- TightVNC- Commercial RAT at hkey_current_user\software\orl
- Gator/GAIN/Claria - Adware at hkey_current_user\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\gator
- CoolSavings- Adware at
hkey_local_machine\software\microsoft\windows\currentversion\shareddlls
and hkey_local_machine\software\microsoft\windows\currentversion\moduleusage\C:/windows/downloaded program files/cpnmgr.dll

-Adware:Adware/WUpd No disinfected
at
C:\ProgramFiles\Support.com\backup\6C\6CF1BFA6d01\ 27176_576d0fd84_[6CF1BFA6d01]

One more question, do you think spywares/adwares may cause some of my programs not listed in the "Add/Remove program control panel" ? :tazz:

Well I guess that's it for now. Thanks again!

#7
starjax

Posted 25 March 2005 - 12:28 AM

Global Moderator

Global Moderator
6,678 posts

Now we just need to clean up all of your temp files so that it doesn't come back.

CleanUp! whenever I see files running from a temp directory. It easy for the user to use and does a thorough job.

You can download it here

Tutorial on how to use it here

or you could use CCleaner

Alternatively:
Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

also you need to turn off system restore: