My laptop cannot get Microsoft Updates and I couldn't install most of the free scans

[miracleshaman]

The only scans that would work were trend micro. CW shredder found nothing, but the scan did find WinAd 1, but said it could not remove it.

About two weeks ago I started getting pop-up ads like crazy. I couldn't stand being online, it was so annoying! I downloaded Registry Mechanic and it found and removed lots of errrors, and it was a little bit better, but not completely.

I run Spybot, Ad-Aware, SpySweeper, Registry Mechanic and Arovax AntiSpyware every day, and they always find stuff, every day, but I still can't get Updates and the pop-ups, though lessened were still there.

So I downloaded HijackThis and eliminated everything listed in the first scan. Before I read not to. Oops! Luckliy, I didn't wreck anything. Nor did I fix anything. Then I ran HijackThis again, and went through every item, one by one, and removed what I identified as bad. And the pop-ups have totally stopped. At least none today, and only one yesterday. Way better than one every 2 seconds!

But I still can't get Microsoft Updates or updates for Windows Defender (or download and install those scanners, even for a one-time use). I have no trouble gettting updates for AVG, Ad-Aware, or Spybot.

When I go to get Updates, it says the files I need can not be found and must be reinstalled. So I click on OK, and it says Downloading... Registering... and then goes right back to the page that says the files have to be installed. And its just an endless loop, over and over. With nothing actually being installed. Even when I could get updates (this started a few weeks ago) I could never install the update for .Net Framework. That would fail every time.

Looking forward to finding out what you find. So here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:42:58 AM, on 12/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Suraya Rose Sarae\Application Data\Allume Systems\StuffIt\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Arovax AntiSpyware] "C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I see it lists Panda and other scanners, so I guess they did install after all, but none of them would actually scan. And its possible the places that say files missing are from where I deleted things before I knew better.

And in case there is any confusion. This post is for a different computer than what I posted for earlier. I'd think it was obvious to you, because the problems are different. But just in case you're wondering why I posted again so soon, that's why!

Thank you in advance for what you find, because I have been worried about security breaches on this computer. I do download P2P files here. Miracle Shaman.

[miracleshaman]

So I guess I didn't fix that part after all!

Not so many... only 2 today. But I'm shooting for none! The way it always used to be before this all started.

Looking forward to your expert advice.

Thanks!

[miracleshaman]

Bump!

[miracleshaman]

BUMP Please!

[miracleshaman]

Double BUMP

Please Help! Believe it or not, my HijackThis was Hijacked!!! I have to download and install it again. It was replaced by something called winimprvise. I'm going to download HJT again.

I know you're busy, and there are LOTS of requests for help, and you're all volunteers... and I would appreciate help soon!

Thanks!

[miracleshaman]

Maybe this doesn't sound like a serious enough request to warrant your attention, and I should have used more alarming words in my headline. But I know there are critical security breaches on this system, and I need to find out what they are, clean them up, and protect against future assaults. I really need a response. Please! People who have posted after me have already gotten help. There are so many posts! Maybe mine have somehow been missed? I really wish someone would answer! Its been 4-1/2 days.

BUMP PLEASE!

[Ried]

Hello miracleshaman,

Our sincere apologies for the oversight of your threads. I'd like to thank you for your kind patience.

Quote:

my HijackThis was Hijacked!!! I have to download and install it again. It was replaced by something called winimprvise.

Did you delete that file? I'd sure like to get a sample of that file if it is still on your system.



Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Before we begin, please move HiJackThis to it's own folder, like c:\HJT. While we’re cleaning the rest of your system, various tools used will clean the temp folder which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

*****************************************

Unfortunately, there is nothing readily apparent in this log. I'd like you to run another tool and we'll see if it reveals anything for us:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

By any chance did you save previous scans performed by AVG A-S? If so, could you please post them here. If saved, the report can be found in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5

[miracleshaman]

Ried,

The instructions to disable Windows Defender were posted on the thread for the desktop and it is actually installed on this computer, the laptop. And I read, copied, and followed the instructions for this one first. While ComboFix was running I went in the other room to work on the instructions for the desktop. And that's where I saw the instructions re: Windows Defender. So what that means is I ran ComboFix here with Windows Defender still active. I'll post the results, but if that poses a problem, let me know and I can disable it and run the scan again.

I will say that in "asking" the computer to save the instructions in notepad on to the desktop, it did not, and I had to do a search to find where it was saved. I did find it, somewhere in Documents and Settings next to a folder called .housecall6.6, which I have NEVER seen before. I did not click on it, but it sure did look suspicious!

Anyway, here's the ComboFix log:

"Suraya Rose Sarae" - 06-12-14 19:59:46.32 Service Pack 2
ComboFix 06-12-14W-BetaE2 - Running from: "C:\Documents and Settings\Suraya Rose Sarae\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-14 to 2006-12-14 ))))))))))))))))))))))))))))))))))


2006-12-14 19:55 <DIR> d-------- C:\Program Files\HijackThis
2006-12-10 09:51 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-08 23:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-08 23:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-08 22:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-08 22:42 <DIR> d-------- C:\DOCUME~1\SURAYA~1\.housecall6.6
2006-12-02 13:18 <DIR> d-------- C:\Program Files\Windows Defender
2006-12-02 12:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-02 11:58 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2006-12-02 11:58 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2006-12-02 11:58 15,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-12-02 11:58 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-12-02 11:58 14,848 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-12-02 11:58 122,368 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-12-02 11:58 <DIR> d-------- C:\Program Files\Webroot
2006-12-02 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2006-12-02 11:54 <DIR> d-------- C:\DOCUME~1\SURAYA~1\APPLIC~1\Webroot
2006-12-02 01:24 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-12-01 23:20 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-12-01 17:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-01 17:01 <DIR> d-------- C:\Program Files\OfficeUpdate11
2006-11-29 22:51 <DIR> d-------- C:\DOCUME~1\SURAYA~1\APPLIC~1\OfficeUpdate12
2006-11-26 15:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-11-23 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bowsshimclockatom
2006-11-23 13:12 <DIR> d-------- C:\DOCUME~1\SURAYA~1\APPLIC~1\Else plus


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-02 11:54 -------- d-------- C:\DOCUME~1\SURAYA~1\Application Data\webroot
2006-12-01 17:07 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-29 22:51 -------- d-------- C:\DOCUME~1\SURAYA~1\Application Data\officeupdate12
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 14:10 82432 --a------ C:\WINDOWS\system32\msxml4r.dll
2006-10-30 00:15 -------- d-------- C:\Program Files\divx
2006-10-28 01:38 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-28 01:38 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-28 01:38 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-28 01:38 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-17 13:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 13:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 13:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 13:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 13:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 13:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 13:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\divx.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RegistryMechanic"=""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Arovax AntiSpyware"="\"C:\\Program Files\\Arovax AntiSpyware\\arovaxantispyware.exe\" /s"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\88FC46E0B517F9C4.job
C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-12-14 20:01:47.45

___________

I couldn't find that file named winimprvise.

___________

Here's the report from the first AVG-Anti Spy scan I ran when I installed it. It seems to be the only one that was saved. But hopefully, it will tell you something.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:00:37 PM 12/10/2006

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Ignored.
C:\Recycled\Dc1\DVD\Cinema Craft Encoder 2.70.02 [SP].rar/Cinema Craft Encoder 2.70.02 [SP]\Crack\cctspt.exe -> Adware.WinAD : Ignored.
C:\Recycled\Dc1\DVD\Cinema Craft Encoder 2.70.02 [SP].rar/Cinema Craft Encoder 2.70.02 [SP]\Crack\cctspt.rar/cctspt.exe -> Adware.WinAD : Ignored.
C:\Recycled\Dc1\DVD\DVD.Rebuilder.PRO.v1.00.RC5.1.rar/DVD.Rebuilder.PRO.v1.00.RC5.1\License.rar/License\keygen.exe -> Adware.WinAD : Ignored.
C:\Recycled\Dc1\DVD\DVD.Rebuilder.PRO.v1.00.RC5.1\License.rar/License\keygen.exe -> Adware.WinAD : Ignored.
C:\Recycled\Dc1\DVD\eclcce.rar/eclcce\EclCCE.exe -> Adware.WinAD : Ignored.
:mozilla.7:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@adbrite[3].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@site.www.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.142:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.25:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@e-2dj6wgmyuhdjadp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@e-2dj6wjl4enczcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.117:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.118:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.119:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@trafic[1].txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.140:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.141:C:\Documents and Settings\Suraya Rose Sarae\Application Data\Mozilla\Firefox\Profiles\dby159qn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


Looking forward to finding out what you uncover!

Now back into the other room. ComboFix must be done on the desktop by now.

[miracleshaman]

I have now turned off the real time protection in Windows Defender, and unchecked everything you asked for in Spysweeper. But the version of Spysweeper I have here did not have Browser-AddOns as a choice, though it did have Network shields, which you didn't mention. I unchecked it too. If I should have left that one checked, or if I have to scan again, because they were both on during the last scan, let me know.

[Ried]

Hiya,

We only need to disable any active protection when changes will be made to the registry. Right now that is not the case so you may leave the active protection of your anti-malware tools in place.

The .housecall6.6 folder was created by Trend Micro's online scanner.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using 'My Computer', navigate to and delete the following Folders

C:\Documents and Settings\All Users\Application Data\ Bowsshimclockatom
C:\DOCUME~1\SURAYA~1\APPLIC~1\ Else plus

-----------------------------------

Open Notepad and copy and paste the content of the code box in it:

Code:

C:\
cd C:\Windows\Tasks
attrib -r -s -h *.job
del 88FC46E0B517F9C4.job

Save this Notepad file as remjobs.bat , choose to save as *all files
and place it on your desktop.

Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.

-----------------------------------

Try now to get an online scan:

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-----------------------------------

Download fl.zip
Extract the contents of the fl.zip to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

-----------------------------------

Create an Uninstall List:
Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

Panda results
findlop.txt
uninstall_list.txt
New HijackThis log

How is your system behaving now?

[miracleshaman]

Here's the Panda Scan... Looks like it only found spyware in quarantine

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Suraya Rose Sarae\Cookies\suraya_rose___sarae@com[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 09.12.2005 02-12-14.dat
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 12.12.2005 03-43-19.dat
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 21.02.2006 01-14-31.dat
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 07.04.2006 21-56-43.dat
Adware:Adware/SaveNow Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 08.04.2006 20-36-34.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 01.05.2006 12-16-26.dat
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 07.05.2006 21-20-36.dat
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 15.05.2006 19-50-01.dat
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 01.07.2006 19-42-30.dat
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 15.07.2006 17-46-16.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 09.08.2006 06-15-55.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 18.08.2006 20-35-09.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 07.09.2006 19-38-11.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 13.09.2006 17-57-07.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 27.09.2006 16-17-42.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 03.10.2006 12-47-49.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 10.10.2006 18-12-22.dat
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 11.10.2006 15-44-06.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 15.10.2006 10-18-21.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 28.10.2006 01-33-28.dat
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 25.11.2006 09-25-01.dat
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 02.12.2006 15-01-09.dat
Spyware:Cookie/AdDynamix Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 03.12.2006 20-26-26.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 06.12.2006 09-59-18.dat
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Arovax AntiSpyware\quarantine\archive 13.12.2006 10-01-49.dat

~~~~~~~~~~~~


Here's the findlop.txt:

Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\Documents and Settings\All Users\Application Data

03/07/2005 09:37 AM <DIR> .
03/07/2005 09:37 AM <DIR> ..
03/07/2005 10:09 AM <DIR> Adobe
11/22/2005 06:08 PM <DIR> Symantec
11/26/2005 03:20 AM <DIR> Yahoo! Companion
11/28/2005 08:03 PM <DIR> Apple Computer
12/29/2005 09:08 PM <DIR> Movielink
12/30/2005 10:58 AM <DIR> Spybot - Search & Destroy
12/30/2005 11:29 AM <DIR> Windows Genuine Advantage
12/30/2005 10:37 PM <DIR> avg7
12/30/2005 10:37 PM <DIR> Grisoft
05/12/2006 12:24 AM 1,356 QTSBandwidthCache
04/10/2006 12:00 PM <DIR> MSScanAppDataDir
04/12/2006 01:00 AM <DIR> NtiDvdCopy
06/09/2006 10:05 PM <DIR> Microsoft Help
09/03/2006 02:05 PM <DIR> Google
12/02/2006 11:55 AM <DIR> Webroot
1 File(s) 1,356 bytes
16 Dir(s) 18,534,727,680 bytes free
Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\Documents and Settings\Administrator\Application Data

03/07/2005 09:53 AM <DIR> .
03/07/2005 09:53 AM <DIR> ..
03/07/2005 09:54 AM <DIR> Identities
0 File(s) 0 bytes
3 Dir(s) 18,534,727,680 bytes free
Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\Documents and Settings\Suraya Rose Sarae\Application Data

11/22/2005 05:39 PM <DIR> .
11/22/2005 05:39 PM <DIR> ..
03/07/2005 09:54 AM <DIR> Identities
11/22/2005 06:04 PM <DIR> Macromedia
11/22/2005 06:08 PM <DIR> Symantec
11/22/2005 06:15 PM <DIR> Adobe
11/22/2005 06:15 PM <DIR> AdobeUM
11/22/2005 07:25 PM <DIR> Cyberlink
11/26/2005 03:15 AM 0 dm.ini
11/26/2005 03:15 AM 1,571 AdobeDLM.log
11/28/2005 07:39 PM <DIR> Mozilla
11/28/2005 07:54 PM <DIR> Real
11/28/2005 07:59 PM <DIR> Google
11/28/2005 08:06 PM <DIR> Apple Computer
12/30/2005 11:26 AM <DIR> Lavasoft
12/30/2005 07:14 PM <DIR> Help
12/30/2005 10:37 PM <DIR> AVG7
12/31/2005 01:58 PM <DIR> Arovax NoSpam
12/31/2005 02:23 PM <DIR> Talkback
02/05/2006 11:21 PM <DIR> Leadertech
02/05/2006 11:21 PM <DIR> AdobeAUM
02/06/2006 12:50 AM <DIR> Serif
02/07/2006 01:38 AM <DIR> Sun
04/01/2006 11:32 AM 25,214 g2shortcut.ico
04/08/2006 06:38 PM <DIR> vlc
04/08/2006 10:55 PM <DIR> uTorrent
04/08/2006 11:19 PM <DIR> Azureus
04/09/2006 11:34 AM <DIR> .bittorrent
04/09/2006 12:11 PM <DIR> Media Player Classic
04/09/2006 03:04 PM <DIR> Allume Systems
04/12/2006 01:20 AM <DIR> dvdcss
04/16/2006 07:37 PM <DIR> Ahead
05/03/2006 07:32 PM <DIR> Free Download Manager
10/30/2006 11:18 PM <DIR> DivX
11/29/2006 10:51 PM <DIR> OfficeUpdate12
12/02/2006 11:54 AM <DIR> Webroot
3 File(s) 26,785 bytes
33 Dir(s) 18,534,727,680 bytes free
Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\Documents and Settings\Default User\Application Data

03/07/2005 09:37 AM 62 desktop.ini
1 File(s) 62 bytes
0 Dir(s) 18,534,727,680 bytes free
Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\Documents and Settings\NetworkService\Application Data

Volume in drive C is ACER
Volume Serial Number is 320D-180E

Directory of C:\Documents and Settings\LocalService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'wrSpySweeperTrialSweep.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe'
Parameters: '/ScheduleSweep=wrSpySweeperTrialSweep'
WorkingDirectory: 'C:\'
Comment: ''
Creator: 'Suraya Rose Sarae'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/04/2006 2:00:00
NextRun: 12/18/2006 2:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 1
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .M.....
StartDate: 12/11/2006
EndDate: 00/00/0000
StartTime: 02:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'MP Scheduled Scan.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Windows Defender\MpCmdRun.exe'
Parameters: 'Scan -RestrictPrivileges'
WorkingDirectory: ''
Comment: 'Scheduled Scan'
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/15/2006 1:55:00
NextRun: 12/16/2006 1:55:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 12/13/2006
EndDate: 00/00/0000
StartTime: 01:55
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


As far as I'm concerned, I can get rid of Yahoo Companion, Apple, Azureus, .bittorrent, and anything related to copying DVDs (that didn't come pre-installed) besides Nero. I never use any of them. (Though I do use uTorrent ) There are also a couple of other things I don't recognize (Talkback?) but I'll leave the evaluation part up to you!

~~~~~~~~~~~~

Here's the uninstall_list.txt:

Acer eManager for Notebook
Acer GridVista
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
Agere Systems AC'97 Modem
Arcade 3.0
Arovax AntiSpyware 2.0.65
Arovax Shield 1.2.348
Arovax Shield 1.3.15
AVG Anti-Spyware 7.5
AVG Free Edition
AviSynth 2.5
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
Google Toolbar for Internet Explorer
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
K-Lite Codec Pack 2.71 Full
Launch Manager
Lavasoft VX2 Cleaner
Macromedia Flash Player 8
MGI PhotoSuite III SE (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Movielink Manager
Mozilla Firefox (1.5.0.8)
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
Nero 7 Ultra Edition
Notes From The Universe Screen Saver
NTI Backup NOW! 4
NTI CD & DVD-Maker Gold
Panda ActiveScan
PowerProducer
QuickTime
QuickTime Alternative 1.47
RealPlayer
Realtek AC'97 Audio
Registry Mechanic 6.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Serif 3DPlus 2.0
Serif DrawPlus 4.0
Serif PagePlus SE 1.0
Serif PhotoPlus 6.0
Serif WebPlus 6.0
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
SiSAGP driver
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
StuffIt Standard
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
URGE
VideoLAN VLC media player 0.8.4a
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Yahoo! Anti-Spy
Yahoo! Toolbar


There are things on here I don't use either and could easily do without, but from as far as I can see, nothing looks too scary. Right?

~~~~~~~~~~~~~

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:29:25 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Suraya Rose Sarae\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Arovax AntiSpyware] "C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Hmmm, that Extra Button... No Name... File Missing... thing looks interesting (maybe?)

~~~~~~~~~~~~~~~~~

Well, obviously you know better than I do... so if it is theoretically close to being all fixed now, I hope you find something here, because the main problem still exists. I still cannot get Microsoft Updates. Same thing, when I go there, it says I have to install files... I click Continue... it says Downloading... Registering... and then nothing happens and it goes right back to the page where it says I have to download the files. I used to be able to get Updates just fine.

This origin of this problem coincided with the beginning of all the pop-ups. They seem to be gone, but I haven't been online here yet. And they had kind of stopped after my own series of scans, while I was waiting for us to get started here.

The other problem I had was that I could not get Windows Defender Updates. In fact, that's how I discovered I couldn't get Microsoft Updates. And I only installed Windows Defender as an attempt to do something that would get rid of all the pop-ups that came out of nowhere all of a sudden.

Without being able to get Updates, I won't be able to get Updates for Defender either, so that's unchanged. But its acting totally weirdly right now. It is "scanning" but nothing is happening, and I can't turn it off. It started by itself, running Quick Scan. It says it started at 1:56am, but Time Elapsed is blank, Objects Scanned is blank, and Objects is blank. And I cannot get it to STOP.

I do not mind uninstalling it, now that I have AVG-AntiSpy, because it has been nothing but problems since I got it. But if it usually works well, and this is a symptom of something, then I guess we're not done yet!

I will say that the files you had me delete at the start of this, are still in the recycle bin. I figure I should have emptied it, but you didn't say so specifically, and I didn't want to do the wrong thing. So if they're the cause of any of this, I can empty that right away.

Is it really all fixed and I am just blocking Updates with Shields or a Firewall? Or is something still screwy? I know I have to be able to get Updates for the computer to be secure.

Looking forward to the next step! I appreciate all your dedication so far! Now I'll go in the other room and see what the Panda Scan discovered on the PC, and get back to you with all of that stuff pronto!

miracleshaman

[miracleshaman]

FYI: Windows Defender is STILL runnning that goofy scan, stuck at 1:56 am and registering no progress. And I CANNOT get it to stop or turn off. I suppose if I reboot, it would stop, though I have done that yet. I was waiting to hear what you had to say.

[Ried]

Can you identify what file/section of your computer Windows Defender seems to be stuck on?

Nothing scary in your Add/Remove programs list. Talkback can be any one of these: http://en.wikipedia.org/wiki/Talkback

Quote:

• Talkback, software crash reporter used by the Mozilla Foundation
• Talkback, album by the Canadian band the Spoons
• Talkback (recording), audio system used in recording studios for communications between the control room and the recording area
• TalkBack Productions, British television production company
• Talkback Classroom, an Australian radio program
• Talk radio, radio format

I'd like you to run the following tool, then try again to get Windows Updates:

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

------------------------------

If you still cannot get Windows Updates or Windows Defender Updates, please do the following:



Please download SilentRunners.vbs (299kb) - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.


Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post that log here

[miracleshaman]

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = "(empty string)" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"RegistryMechanic" = "(empty string)" [file not found]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"Arovax AntiSpyware" = ""C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe" /s" ["Arovax"]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Allume Systems\StuffIt\CompressMenu.dll" ["Allume Systems, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Allume Systems\StuffIt\CompressMenu.dll" ["Allume Systems, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Suraya Rose Sarae\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\72NAME~1.SCR" (72NamesOfGod.scr) [null data]


Enabled Scheduled Tasks:
------------------------

"wrSpySweeperTrialSweep" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeperTrialSweep" ["Webroot Software, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "MGINavigationCanceled" = "(empty string)" [file not found]
<<H>> "MGIWelcome" = "(empty string)" [file not found]
<<H>> "MGIOfflineInformation" = "(empty string)" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Notebook Manager Service, anbmService, "C:\Acer\eManager\anbmServ.exe" ["OSA Technologies Inc."]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" ["Webroot Software, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Office Document Image Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 69 seconds.
---------- (total run time: 138 seconds)



I downloaded the Dreck and it installed into its own folder just fine. But that's about as far as I get. When I doubleclick to start it, it opens but then stalls, and then says Not Responding across the top. Same thing 6 tries. Most times it only got as far as a blank white screen. Though twice I got as far as the list. I unchecked those few items and clicked OK. But then when I clicked SAVE, it stopped. And the Not Responding showed again. And it took quite a while to get it to close each time to start again. And then of course I got the "you have chosen to end a nonresponsive programs... send Microsoft an error report. And that box won't close unless you click yes!

I decided to try it one more time before I sent this, and it did work this time, but instead of deleting the above paragraph and just sending the log, I left it here for you to see, in case the stalling is significant.

Anyway, here's the completed Dreck log:

StartDreck (build 2.1.7 public stable) - 2006-12-15 @ 23:24:45 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 7.0.5730.11
Logged in as Suraya Rose Sarae at ASPIRE3003WLMI

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
»RunOnce
»Default User
»Run
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
»Local Machine
»Run
*RegistryMechanic=
*Windows Defender="C:\Program Files\Windows Defender\MSASCui.exe" -hide
*Arovax AntiSpyware="C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe" /s
*!AVG Anti-Spyware="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\system32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Microsoft Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Bar=http://www.google.com/ie
*Search Page=http://www.google.com
*Start Page=http://www.ebay.com/
+SearchUrl
»Default User
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
»Local Machine
*Local Page=%SystemRoot%\system32\blank.htm
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.google.com/ie
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\system32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\system32\stobject.dll
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\system32\upnpui.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Suraya Rose Sarae\Start Menu\Programs\Startup\desktop.ini
»Default User
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
`PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
`PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
`lh %SystemRoot%\system32\nw16
`lh %SystemRoot%\system32\vwipxspx
*C:\WINDOWS\system32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\system32\agrsmdel.exe
*C:\WINDOWS\agrsmdel.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+596=\SystemRoot\System32\smss.exe
+668=\??\C:\WINDOWS\system32\csrss.exe
+692=\??\C:\WINDOWS\system32\winlogon.exe
+736=C:\WINDOWS\system32\services.exe
+748=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\system32\svchost.exe
+936=C:\WINDOWS\system32\svchost.exe
+972=C:\Program Files\Windows Defender\MsMpEng.exe
+1016=C:\WINDOWS\System32\svchost.exe
+1124=C:\WINDOWS\system32\svchost.exe
+1252=C:\WINDOWS\system32\svchost.exe
+1512=C:\WINDOWS\system32\spoolsv.exe
+1988=C:\Acer\eManager\anbmServ.exe
+204=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
+224=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+244=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+260=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+536=C:\WINDOWS\Explorer.EXE
+644=C:\WINDOWS\system32\svchost.exe
+1080=C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
+1220=C:\WINDOWS\system32\svchost.exe
+1368=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
+1132=C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
+2436=C:\WINDOWS\System32\alg.exe
+2616=C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe
+2964=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
+3196=C:\WINDOWS\System32\svchost.exe
+3268=C:\WINDOWS\system32\ctfmon.exe
+2932=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+3276=C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
+2576=C:\WINDOWS\system32\DllHost.exe
+1244=C:\Program Files\Internet Explorer\iexplore.exe
+2668=C:\WINDOWS\system32\NOTEPAD.EXE
+2184=C:\Documents and Settings\Suraya Rose Sarae\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User


And I was finally able to exit out of Defender, though that "scan" was still running. It was running in the system tray with all the icons of programs that load at start up.

Now, back to the PC...

[miracleshaman]

I wanted to add that I am having a new problem. I ran Spybot and Adaware this morning and they both picked up stuff. So I was going to run SpySweeper too. And it won't run. It says it is locked out by the system. Is that something we did? If so, how to undo it? If its not something we did, something else is going on!

[miracleshaman]

While I've been waiting to hear back from you, and since I uninstalled Arovax and rebooted, I decided to run some more scans. Usually they find the same low risk ones over and over, omniture, pointroll, questionmarket, and others, but an AVGAnti-Spy scan just found 3 new ones Adbrite, Euroclick, and Cookie.com that they rate as medium risk. I'm glad the scanner is working (and now the SpySweeper is OK too) but its a little disconcerting that now that we're wrapping this up, new items are being found. Though I guess it doesn't necessarily mean they have just been deposited. Maybe they are just being discovered. But if they are just being deposited, how do I block them and keep them out? How do I keep things clean? I haven't been surfing the 'Net since we started working on this together. So where are new things coming from? I still have 3 different kinds of Shields even after uninstalling Arovax today, a Firewall, and SpyWare Blaster. Aren't they supposed to keep new things from getting in? Maybe that's what we'll be working on next. I do want to know if these items should be quarantined or deleted.

I also have some good news! I FINALLY got an email back from Windows Updates Support. TODAY! I wrote to them well over 2 weeks ago, when the main problem started, and hadn't heard back. That's probably why I was getting so antsy waiting for somebody here to respond to my log posting, because I'd already been waiting for them for 2 weeks.

And since all we've done so far still has not corrected my main presenting problem, (though it has solved others), I was soooooo glad to get their email. And it actually was helpful!

They determined that "The issue was caused by some corrupted Windows Update engines or the system temporary folder has been set to read only." They had me Re-register Windows Update engines and Reload the Update temporary folders, both of which took a lot of steps. But it seems to have worked, because I can now get Updates, and Windows Defender can get Updates too, and it works properly. No endless empty scans.

Updates still fail for the .Net Framework Service Pack 1, so I'm still waiting to hear back from them on that. I had to send them an Updates log, which I can also post here, if you'd like. I don't know if you would find it helpful or not. If you'd like to see it, let me know.

We didn't discuss cause, so for all I know, Updates could have been corrupted by whatever caused all those pop-ups to start happening a few weeks ago. Both things started at the same time. So I am glad to be working on things here too. Especially now that I'm starting to find spy cookies I've never had before.

Anyway, that's my update! Looking forward to what you will have me do next. I greatly appreciate all your diligence and help so far.

[Ried]

Hiya,

I'm so glad you got the Windows Update working again. I was about to send you over to the Windows XP section for assistance on getting that working properly again as I see no malware in either the StartDreck or SilentRunners logs.

It's possible that you have too many Active Protection programs on your system and they were conflicting with one another--evidenced by the issue of SpySweeper being resolved once you uninstalled Arovax. It's fine to have multiple anti-malware programs to scan your system, but too many actively protecting your system doesn't always work out.

SpywareBlaster does not fall under the category of 'Active Protection' as it does not 'watch' for any other malware--as is the case with SpySweeper, AVG A-S, Arovax, Windows Defender. Spyware Blaster focuses on bad ActiveX controls that try to download on your computer. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). Launch SpywareBlaster and click on each of the browser tabs and you will see the items you are protected against.

The fact that AVG A-S found cookies that the others didn't report doesn't necessarily mean that new 'stuff' has found it's way to your system. Each anti-malware program has it's own way of scanning your system. Some will find things others 'miss', which is why it's a good idea to have more than one.

I would suggest keeping SpySweeper and Windows Defender as 'Active Protection'. Turn off AVG A-S Resident Shield, but continue to update the database and scan with it at regular intervals.

Your logs are clean. I think we can wrap this up.

If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

• Now navigate to C:\ie-spyad. Double click to open it.
• From within the folder, double-click install.bat
• Select Option #2 - Install the new IE-SPYAD list, by typing 2
• Then return to the main menu.
• Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.

[miracleshaman]

I downloaded IE-Spyad but I cannot get it to install. I get the DOS box and click on 2 and it says you have chosen to install Spyad... but then nothing else happens. I've done it 4 times, and always the same. I installed it on the desktop, no problem. Do you think all my layers of protection now are blocking it?

[Ried]

No, none of the protective programs would block that. I'll look into that for you.

[miracleshaman]

Any further word on what could be blocking the Spyad?

I guess I'm still concerned, because last night, for the first time EVER, I had the same problems on my laptop that started my requests for help on my other thread.

Freezing... not being able to navigate to another page... the cursor not responding... S-L-O-W internet... I NEVER had those problems here. And now that we are supposedly ALL DONE... It has me worried, and frustrated!

And Registry Mechanic found errors and AV-AS found another new spycookie I've never had before. And with all these shields and blockers up... What's going on?

I will admit to having a web page open overnight, so I wouldn't have to find it again this morning. I do that a lot. Is that a major NO-NO? In fact, should I not be leaving my computer on overnight at all? Especially with DSL, and "always" being connected? Though with firewall on and such... shouldn't I be safe? And Microsoft Updates usually update at 3am, and now that I CAN get them, I want to get them! I could, of course, change the time. Or have it be everytime I restart Windows, if I am going to be shutting down every night.

I'd love to hear your brilliant words on all of these last wee concerns. Because I'm as anxious to have this all done with as you probably are to get me out of your hair!

YOU HAVE BEEN SO GREAT!!!!