Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop-up Madness! HELLLLLLP! [resolved]

Started by Deus_Ex_Machina , Aug 08 2005 04:58 PM

  • This topic is locked This topic is locked

#1
Deus_Ex_Machina
Posted 08 August 2005 - 04:58 PM

Deus_Ex_Machina

    Member

  • Member
  • PipPip
  • 24 posts
I have followed the directions as I was best able to do so on You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log. MY OS is Windows98 build 4.10.2222. Here is how it went:

I reinstalled my winsock. I ran CleanUp. I installed and ran Ad-awareSE, deleted detected items. Ran CW Shredder, nothing detected. SpyBot S&D runs but crashes at the end. Everytime. Ewido won't run under my OS. Disabled Norton AV and ran Trend Housecall. Also ran AVG with NAV disabled. Nothing detected. Uninstalled AVG. NAV also did not detect anything. Downloaded, installed and ran TrojanHunter. Deleted detected items. Ran HijackThis! and got rid of suspicious items. Still having a problem with pop-ups. I use Zone Alarm Pro to block the sites as fast as I can and I find that I have to update the IP addresses now and again because the tricky dirtballs are changing them every few days.

Here is a list of some of the domains my browser spontaneously opens up and points to and I have since blocked:

www.automotive.com
addynamix.com
www.pacimedia.com
www.yieldmanager.com
www.xbloom.com
z1.adserver.com
dist.belnk.com
media17.fastclick.net
adopt.hbmediapro.com
ad.firstadsolution.com
www.spotresults.com
www.heavy.com
and the IP 64.192.130.141

I have not had to resort to a blatant cry for help in the past. I have always been able to fix any problems that have arisen. In over a decade of computing this is my first stumper. The frustration is enormous. Please help.

Here is my HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 18:53:47 PM, on 8/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\TRAYMAN\TRAYMAN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CPAL\CPBRWTCH.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\CLOCKWISE\CLOCKWISE.EXE
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\PROGRAM FILES\ABOUTTIME\PROGRAM\ABOUTTIME.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\MAILCALL\MAILCALL.EXE
C:\PROGRAM FILES\IMAP NOTIFY\IMAPNOTIFY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\CPAL\CPAL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\YC\YANKCLIP.EXE
C:\WINDOWS\DESKTOP\SORT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Matt Brand IE Browser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: ExplorerWatch Class - {D4E7C68D-37FD-11D4-9D32-0000A00B0B0B} - C:\PROGRAM FILES\CPAL\CPBRHELP.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [Cookie Pal] "C:\PROGRAM FILES\CPAL\CPBrWtch.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [NPFMonitor] D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] d:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [TrayManager] C:\PROGRA~1\TRAYMAN\TRAYMAN.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ClockWise] C:\PROGRAM FILES\CLOCKWISE\CLOCKWISE.EXE
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: yankclip.lnk = C:\Program Files\yc\yankclip.exe
O4 - Startup: AboutTime.exe.lnk = C:\Program Files\abouttime\PROGRAM\AboutTime.exe
O8 - Extra context menu item: &Acronym Finder lookup... - http://www.acronymfinder.com/iesearch/
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Password Generator &3 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O12 - Plugin for .dll: D:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npHiwire4.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O20 - AppInit_DLLs: apitrap.dll;

Any help is appreciated. Thank you.

Edited by coachwife6, 15 August 2005 - 03:01 AM.

  • 0

Advertisements

#2
coachwife6
Posted 13 August 2005 - 10:37 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi D. Welcome to GTG. Sorry you were overlooked the first go-round, but we'll get you fixed up this time.

Please run hijack this again and post the new log in this thread. :tazz:
  • 0

#3
Deus_Ex_Machina
Posted 14 August 2005 - 01:40 AM

Deus_Ex_Machina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks CW6! Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 3:37:57 AM, on 8/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\TRAYMAN\TRAYMAN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CPAL\CPBRWTCH.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\CLOCKWISE\CLOCKWISE.EXE
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YC\YANKCLIP.EXE
C:\PROGRAM FILES\IMAP NOTIFY\IMAPNOTIFY.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\CPAL\CPAL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SORT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Matt Brand IE Browser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: ExplorerWatch Class - {D4E7C68D-37FD-11D4-9D32-0000A00B0B0B} - C:\PROGRAM FILES\CPAL\CPBRHELP.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [Cookie Pal] "C:\PROGRAM FILES\CPAL\CPBrWtch.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [NPFMonitor] D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] d:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [TrayManager] C:\PROGRA~1\TRAYMAN\TRAYMAN.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ClockWise] C:\PROGRAM FILES\CLOCKWISE\CLOCKWISE.EXE
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: yankclip.lnk = C:\Program Files\yc\yankclip.exe
O4 - Startup: AboutTime.exe.lnk = C:\Program Files\abouttime\PROGRAM\AboutTime.exe
O8 - Extra context menu item: &Acronym Finder lookup... - http://www.acronymfinder.com/iesearch/
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Password Generator &3 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: apitrap.dll;

Any help you can give is appreciated. :tazz: Thanks!
  • 0

#4
coachwife6
Posted 14 August 2005 - 12:01 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#5
Deus_Ex_Machina
Posted 14 August 2005 - 02:26 PM

Deus_Ex_Machina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here is the log from SilentRunner. Thanks! :tazz:


"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TClockEx" = "C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE" ["Dale Nurden"]
"ClockWise" = "C:\PROGRAM FILES\CLOCKWISE\CLOCKWISE.EXE" ["RJ Software"]
"RoboForm" = ""C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"" ["Siber Systems"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Norton Auto-Protect" = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPW32.exe /LOADQUIET" [null data]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"SBWatchDog.EXE" = "C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l" ["Softbank Content Services"]
"Cookie Pal" = ""C:\PROGRAM FILES\CPAL\CPBrWtch.exe"" ["Kookaburra Software"]
"Logitech Utility" = "LOGI_MWX.EXE" ["Logitech Inc."]
"a-winpoet-service" = ""C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"" ["Fine Point Technologies, Inc."]
"Zone Labs Client" = "D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe" ["Zone Labs Inc."]
"ADUserMon" = "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" ["Iomega Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec Core LC" = "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs Inc."]
"NPFMonitor" = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]
"CSINJECT.EXE" = "d:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE" ["Symantec Corporation"]
"(Default)" = (empty string)
"TrayManager" = "C:\PROGRA~1\TRAYMAN\TRAYMAN.EXE" ["Ziff-Davis, Inc."]
"SchedulingAgent" = "mstask.exe" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]
"ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
"ccSetMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.0"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{D4E7C68D-37FD-11D4-9D32-0000A00B0B0B}\(Default) = "ExplorerWatch Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\CPAL\CPBRHELP.DLL" ["Kookaburra Software"]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."]
"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Iomega\Shell\ImgProp.dll" ["Iomega Corp."]
"{F8B14440-3785-11D1-B363-5C6F08C10000}" = "PGPdisk Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "PGPdskSE.dll" ["Network Associates, Inc."]
"{969223c0-26aa-11d0-90ee-444553540000}" = "Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "pgp60mn.dll" ["Network Associates, Inc."]
"{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "d:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll" ["$"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Canon Creative\PhotoDeluxe\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\ICQ\ICQSHEXT.DLL" ["ICQ"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\COMMON FILES\ZINIO\ZSHEXT.DLL" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\COMMON FILES\ZINIO\ZSHEXT.DLL" ["Zinio Systems, Inc."]
"{091D66CD-24B7-4210-A790-78463B1B3D7A}" = "Zinio Shell Extension UI Object"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\COMMON FILES\ZINIO\ZSHEXT.DLL" ["Zinio Systems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{B1816445-A3ED-11D3-B2B3-00104B4C6B08}" = "Evidence Eliminator Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\EESHELLX.DLL" ["evidence-eliminator.com"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{A213B520-C6C2-11d0-AF9D-008029E1027E}" = "WinFax PRO IShellExecuteHook" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\SYMANTEC\WINFAX\WfxSeh32.Dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {CLSID}\InProcServer32\(Default) = "d:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll" ["$"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
StuffIt Context Menu\(Default) = "{2E336DC0-54F8-11D1-ABD5-447270537467}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\StuffItMenu.dll" ["Aladdin Systems, Inc."]
Evidence Eliminator\(Default) = "{B1816445-A3ED-11D3-B2B3-00104B4C6B08}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\EESHELLX.DLL" ["evidence-eliminator.com"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Wipe Info\(Default) = "{30424D42-5946-11D2-B8E5-006097C9C6FF}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\NORTON~1\NORTON~1\WFSHELEX.DLL" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {CLSID}\InProcServer32\(Default) = "d:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll" ["$"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
StuffIt Context Menu\(Default) = "{2E336DC0-54F8-11D1-ABD5-447270537467}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\StuffItMenu.dll" ["Aladdin Systems, Inc."]
Evidence Eliminator\(Default) = "{B1816445-A3ED-11D3-B2B3-00104B4C6B08}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\EESHELLX.DLL" ["evidence-eliminator.com"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Norton WipeInfo\(Default) = "{30424D42-5946-11D2-B8E5-006097C9C6FF}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\NORTON~1\NORTON~1\WFSHELEX.DLL" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"yankclip" -> shortcut to: "C:\Program Files\yc\yankclip.exe" ["No Company- Just Me!"]
"AboutTime.exe" -> shortcut to: "C:\Program Files\abouttime\PROGRAM\AboutTime.exe" [","]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Update Virii Definitions" -> launches: "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE -s " ["Symantec Corporation"]
"Update Virii Definitions(2)" -> launches: "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE -s " ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - ML" -> launches: "D:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exe /task:"C:\WINDOWS\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\msafd.dll [MS], 1 - 3
c:\windows\SYSTEM\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{724D43A0-0D85-11D4-9908-00400523E39A}" = "&RoboForm" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{724D43A0-0D85-11D4-9908-00400523E39A}" = "&RoboForm" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{724D43A8-0D85-11D4-9908-00400523E39A}\ = "&RoboForm"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{724D43AA-0D85-11D4-9908-00400523E39A}\
"ButtonText" = "RoboForm"
"MenuText" = "RF Toolbar &2"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F46}\
"ButtonText" = "Fill Forms"
"MenuText" = "Fill Forms &]"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F49}\
"ButtonText" = "Save"
"MenuText" = "Save Forms &["
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 40 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 87 seconds)
  • 0

#6
coachwife6
Posted 14 August 2005 - 03:52 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi D. I couldn't help but notice that you have quite a few time-setting programs on your computer. Is there a reason for that?

Please download CleanUp! - Download - HomePage

Don't run it yet.

There are quite a few programs available that offer protection features to help keep a computer from getting infected. While this is normally a helpful feature, it can keep a victim from making the changes necessary to clean their comptuer. Please read the following and uninstall or disable those that apply to your machine.

These programs need to be uninstalled

AdWatch

These programs can just be disabled

Microsoft Antispyware
TeaTimer
SpySweeper
Win Patrol
Spyware Guard
PSGuard
Pestpatrol
Regrun
Diamonds Process controller

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\SYSTEM\SBUtils\<<entire folder

Run CleanUp! When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.

Reboot and let me know how it is running. :tazz:
  • 0

#7
Deus_Ex_Machina
Posted 15 August 2005 - 12:01 AM

Deus_Ex_Machina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
First let me say that it appears to be successful! :) THANKS! :tazz:

Here's how it went:

I printed out the details and got to work. I already had Cleanup on my PC. I ran HJT and deleted the SBWatchdog item. I was under the impression that this file was a system file from the manufacturer but I read online that it is SPYWARE from the PC manufacturer. This is what through me. I did not expect that a file that had been there for so long and was installed by the manufacturer (SONY) could possibly be malware. I have now learned a major malware lesson: suspect everything!

After deleting the entry with HJT I rebooted and tried to enter safe mode. F8 did not work and I entered windows. I tried again holding control and still no luck. I used tweakUI to force a boot screen option and got to safe mode that way. I then deleted the troublesome folder. I suspect that this particular form of malware piggybacked off the SBWatchdog, using its activity to trigger its own. Whether it was resident in the SBWatchdog folder or is elsewhere is unknown. As it is unlikely to be triggered if it is elsewhere the point is likely moot.

So far there haven't been any more pop-ups. I will post another report in 3 days if there are no more pop-ups, sooner if there are.

A nice elegant solution to a persistently irritating problem. My compliments on your efficacy. I am very pleased with the help I received and am happy to be joining the team at GTG.

Thanks very much CW6! You spared me the hassle of wiping the machine! ;)
  • 0

#8
coachwife6
Posted 15 August 2005 - 03:00 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Cool beans. Glad to have you aboard. :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#9
Deus_Ex_Machina
Posted 19 August 2005 - 05:10 PM

Deus_Ex_Machina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi CW6,

My system has been working fine without any repeat of the pop-up problem. I consider my original issue for starting this thread resolved.
Thanks! :tazz: :) :)

I used the Panda ActiveScan and it found over 170 items on my system. I then upgraded to the Pro version and deleted them. I was so impressed by Panda that when my Norton AV subscription runs out in January I will switch to a Panda product.

I was able to run the free ActiveScan because I no longer had pop-ups that would crash the system. However, I probably could have used the ActiveScan by starting it, halting/blocking my Internet connection, than reconnecting to the Internet after the scan completed to see the final report.

I am very happy with the efficacy of your instructions. I have my PC back and will carefully review your suggestions for other programs to consider. I have my peace of mind back and am no longer worried about my PC and when/if I can get it to run adequately again.

I am unable to do so this week but I will try next week to give you a fiscal boon. I know it is not required but I would like to send you something to aid you in the cause. :ph34r:

Thanks for all your help! :)
  • 0

#10
coachwife6
Posted 19 August 2005 - 05:29 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I am so glad everything is working well. That made my day. :tazz: Since, this topic appears resolved, I will now close it. If it needs to be reopened and you are the original starter, please PM a staff member.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP