spyware (moved from XP)

**Big Ed** · 02-07-2006, 09:24 PM

recently got rid of worm and other B.S. with ur help.....loaded AVG free and was loading Zone Alarm free and doing the pre-scan and came up with...

eAcceleration - Adware
RegistryKey - HKEY_CLASSES_ROOT\ThreatScanner.StatusCLSID\

Com - 3rd Party Cookie
URL - Cookie:ed@com.com/

Superstats - 3rd Party Cookie
URL - Cookie:ed@superstats.com/

Did hi-jack and this is log...

Logfile of HijackThis v1.99.1
Scan saved at 9:01:37 PM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SM1BG.EXE
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\eTrust EZ Firewall\ca.exe
D:\gcasServ.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\3BSOFT~1\WINDOW~1\Windows Clean-Up Pro.uzy
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
D:\COMCAS~1\data\Xtras\mssysmgr.exe
D:\gcasDtServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Digital Imaging\bin\hpohmr08.exe
D:\Digital Imaging\bin\hpotdd01.exe
D:\Picture Package Menu\SonyTray.exe
D:\Picture Package Applications\Residence.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Digital Imaging\bin\hpoevm08.exe
D:\Spy Sweeper\WRSSSDK.exe
D:\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Ed\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mailaka.net/portal/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Windows Clean-Up Pro] D:\PROGRA~1\3BSOFT~1\WINDOW~1\Windows Clean-Up Pro.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "c:\Program Files\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093576137037
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37590.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Big Ed needs help again...................

Ried · 02-08-2006, 10:03 PM

Hey Big Ed,

That entry appears to be an orphaned registry entry from the Uninstall you did a while back for Acceleration Software. As long as there is no file associated with it, it will do no harm.

Have you run Spybot? It should detect that entry and fix it for you. If Spybot doesn't detect it, go to Start->Run and type in regedit and hit OK.

Navigate to the following key and tell me if it is the entire key as you see listed on your system:

HKEY_CLASSES_ROOT\ThreatScanner.StatusCLSID\

**Big Ed** · 02-09-2006, 01:52 PM

Spybot results..which I always get and fix....

--- Search result list ---
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Start-> Run...shows HKEY_CLASSES_ROOT that's all

Ried · 02-09-2006, 02:08 PM

Hi Ed,

Let's do a little digging.

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

eAcceleration
Acceleration Software

Save the file/files and post the results here.

Spybot detecting this entry...HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0 is fine. Set it up to ignore the entry as it's an issue with Spybot and the entry is correct.

**Big Ed** · 02-09-2006, 02:51 PM

When I open I get a file not a scanner...........

'RegSrch.vbs - Search Registry for input string and display results.
'© Bill James - wgjames@mvps.org
' revised 20 Apr 2001 (parses regfile ~3X faster)
' revised 13 Dec 2001 (added Regedit command line switch for Win2K/WindXP)

Option Explicit
Dim oWS : Set oWS = CreateObject("WScript.Shell")
Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject")

Dim sSearchFor
sSearchFor = InputBox("This script will search your Registry and find all " & _
"instances of the search string you input." & vbcrlf & vbcrlf & _
"This search could take several minutes, so please be patient." & _
vbcrlf & vbcrlf & "Enter search string (case insensitive) and " & _
"click OK...", WScript.ScriptName & " " & Chr(169) & " Bill James")

If sSearchFor = "" Then Cleanup()

Dim StartTime : StartTime = Timer

Dim sRegTmp, sOutTmp, eRegLine, iCnt, sRegKey, aRegFileLines

sRegTmp = oWS.Environment("Process")("Temp") & "\RegTmp.tmp "
sOutTmp = oWS.Environment("Process")("Temp") & "\sOutTmp" & _
Hour(Now) & Minute(Now) & Second(Now) & ".tmp "

oWS.Run "regedit /e /a " & sRegTmp, , True '/a enables export as Ansi for WinXP

With oFSO.OpenTextFile(sOutTmp, 8, True)
.WriteLine("REGEDIT4" & vbcrlf & "; " & WScript.ScriptName & " " & _
Chr(169) & " Bill James" & vbcrlf & vbcrlf & "; Registry search " & _
"results for string " & Chr(34) & sSearchFor & Chr(34) & " " & Now & _
vbcrlf & vbcrlf & "; NOTE: This file will be deleted when you close " & _
"WordPad." & vbcrlf & "; You must manually save this file to a new " & _
"location if you want to refer to it again later." & vbcrlf & "; (If " & _
"you save the file with a .reg extension, you can use it to restore " & _
"any Registry changes you make to these values.)" & vbcrlf)

With oFSO.GetFile(sRegTmp)
aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With

oFSO.DeleteFile(sRegTmp)

For Each eRegLine in aRegFileLines
If InStr(1, eRegLine, "[", 1) > 0 Then sRegKey = eRegLine
If InStr(1, eRegLine, sSearchFor, 1) > 0 Then
If sRegKey <> eRegLine Then
.WriteLine(vbcrlf & sRegKey) & vbcrlf & eRegLine
Else
.WriteLine(vbcrlf & sRegKey)
End If
iCnt = iCnt + 1
End If
Next

Erase aRegFileLines

If iCnt < 1 Then
oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _
vbcrlf & vbcrlf & "No instances of " & chr(34) & sSearchFor & chr(34) & _
" found.",, WScript.ScriptName & " " & Chr(169) & " Bill James", 4096
.Close
oFSO.DeleteFile(sOutTmp)
Cleanup()
End If
.Close

End With

oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _
vbcrlf & vbcrlf & iCnt & " instances of " & chr(34) & sSearchFor & chr(34) & _
" found." & vbcrlf & vbcrlf & "Click OK to open Results in WordPad.",, _
WScript.ScriptName & " " & Chr(169) & " Bill James", 4096

oWS.Run "WordPad " & sOutTmp, 3, True

oFSO.DeleteFile(sOutTmp)

Cleanup()

Sub Cleanup()
Set oWS = Nothing
Set oFSO = Nothing
WScript.Quit
End Sub

**Big Ed** · 02-09-2006, 03:00 PM

Did find under HKEY_CLASSES_ROOT...themefile with subfolder ThreatScanner.StatusCLSID

tetonbob · 02-09-2006, 07:29 PM

Quote:

Originally Posted by Big Ed

Spybot results..which I always get and fix....

--- Search result list ---
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Big Ed -

You have McAfee Security Center. It disables Windows Security Center upon install by design. You also have Zone Alarm Firewall. Same thing. Spybot is telling you something has disabled your Windows Firewall and Security Center.

As long as you know what it is, you can tell Spybot to ignore those two.

Please see this link at Safer Networking, Spybot's home, regarding these finds.

As far as the regsearch goes...you have to right-click and save the script, save it to your desktop, not single click on it, or you will end up looking at the actual script, as you have seen.

Try that, and follow Ried's instructions for the search once again.

**Big Ed** · 02-09-2006, 08:54 PM

I'm not running McAfee or ZoneAlarm...McAfee is turned off and I was going to load ZoneAlarm free...ran the ZoneAlarm scan and found the eacceleration thing.

U lost me on the clicking....all I get is a file...no scanner.

tetonbob....where u at in wyo?

tetonbob · 02-09-2006, 10:20 PM

These entries are from McAfee

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Every time you reboot, these services are active.

My mistake about ZA....eTrust uses the same engine.

O4 - HKLM\..\Run: [Zone Labs Client] "c:\Program Files\eTrust EZ Firewall\ca.exe"
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

It is these entries which are likely the cause of Spybot's finds.

About regsearch....I don't know how much more I can simplify it, but I'll try. If you're getting a file opening in your browser, you're not doing it correctly.

On the link:

http://www.greyknight17.com/spy/RegSrch.vbs

Use your mouse's right button, and click once. (See thumbnail)

In Firefox, Select Save Link As, and click on it. (See thumbnail)

Save it to your desktop (or a folder). (See thumbnail)

You should now have a vbs script file on your desktop. (See thumbnail)

Double click on it, and you should now see a small scanning tool/box. (See thumbnail)

Hope that helps.

PS -

Spent 20 years in Wilson, at the base of Teton Pass. Currently in NC.

**Big Ed** · 02-10-2006, 08:48 AM

OK...right double click and I clicked on open with command prompt. Scanned for both and eaccerlation found two files and clicked to open in wordpad....I have notepad...where are the wordpad files?

**Big Ed** · 02-10-2006, 09:23 AM

Backup a minute....got to thinking...went to vbs file and replaced wordpad with notepad and got the results.......................

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "eAcceleration" 2/10/2006 9:18:18 AM

; NOTE: This file will be deleted when you close NotePad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\eAcceleration]

[HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\eAcceleration\Stop-Sign]

Ried · 02-10-2006, 10:11 AM

Hi Ed,

I'm glad you got it working, good job.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the
registry somewhere as a backup. Close the Registry Editor now.

Go to Start->Run and type in notepad and hit OK. Copy and paste the following bolded text into Notepad:

REGEDIT 4

[-HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MenuOrder\Start Menu2\Programs\eAcceleration]

[-HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MenuOrder\Start Menu2\Programs\eAcceleration\Stop-Sign]

After you've copied it into Notepad:
look at the way \Explorer\ has 'split' like this \ Exp lorer\. Delete that space between the p and l for each entry.

Now, save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

You should be all set now.

**Big Ed** · 02-10-2006, 10:47 AM

U lost me from this point on...........

Now, save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

tetonbob · 02-10-2006, 11:15 AM

I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

**Big Ed** · 02-10-2006, 11:29 AM

Did the zip....did restart...did pre-scan for ZoneAlarm Free and get

eAcceleration - Adware

RegistryKey - HKEY_CLASSES_ROOT\ThreatScanner.StatusCLSID\

tetonbob · 02-10-2006, 04:21 PM

I have attached a file to this post - regdel1.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

Any other issues?

**Big Ed** · 02-10-2006, 04:43 PM

That did it.

The following spyware was detected:

The Zone Labs security scanner has found no spyware on your computer.

Discover other tools to protect your PC by clicking here

tetonbob · 02-10-2006, 06:12 PM

Good to hear, Big Ed.

I know you've just recently had a cleaning here, so I won't post the usual closing reply.

Stay safe out there. Happy Computing!

PS -

Do you know Wyo well?

**Big Ed** · 02-10-2006, 09:34 PM

I currently live in South Jordan, Utah...but went to college in Montana at Missoula.... fought fires during the summer. Got to see some of the Rocky Mountain divide country....off course real pretty around Jackson and the Teton area. I love western Montana. northern Idaho, western Wyoming....all them craggy mountains and pretty valleys. Not like those round top all vegitated humid mounds back east....I grew up and gradiated from Hi School in N.Y. on Looooong Giland from Lindenhurst H. S. .......went west ...dried out...never to return to the humididity.....E

tetonbob · 02-10-2006, 09:46 PM

LOL -

I escaped from the other side of the Sound long ago, and never looked back. I'm Temporarily East of the Mississsippi, but the Rocky Mountain West is in my blood.

I'll be back someday.

Cheers!

02-07-2006, 09:24 PM	#1 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	spyware (moved from XP) recently got rid of worm and other B.S. with ur help.....loaded AVG free and was loading Zone Alarm free and doing the pre-scan and came up with... eAcceleration - Adware RegistryKey - HKEY_CLASSES_ROOT\ThreatScanner.StatusCLSID\ Com - 3rd Party Cookie URL - Cookie:ed@com.com/ Superstats - 3rd Party Cookie URL - Cookie:ed@superstats.com/ Did hi-jack and this is log... Logfile of HijackThis v1.99.1 Scan saved at 9:01:37 PM, on 2/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SM1BG.EXE D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\eTrust EZ Firewall\ca.exe D:\gcasServ.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\System32\svchost.exe D:\PROGRA~1\3BSOFT~1\WINDOW~1\Windows Clean-Up Pro.uzy C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Support.com\bin\tgcmd.exe D:\COMCAS~1\data\Xtras\mssysmgr.exe D:\gcasDtServ.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe D:\Digital Imaging\bin\hpohmr08.exe D:\Digital Imaging\bin\hpotdd01.exe D:\Picture Package Menu\SonyTray.exe D:\Picture Package Applications\Residence.exe D:\PROGRA~1\Webshots\webshots.scr D:\Digital Imaging\bin\hpoevm08.exe D:\Spy Sweeper\WRSSSDK.exe D:\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\MSN\MSNCoreFiles\msn.exe C:\Program Files\Windows Media Player\wmplayer.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Ed\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mailaka.net/portal/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [Windows Clean-Up Pro] D:\PROGRA~1\3BSOFT~1\WINDOW~1\Windows Clean-Up Pro.Exe O4 - HKLM\..\Run: [Zone Labs Client] "c:\Program Files\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SpySweeper] "D:\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\COMCAS~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093576137037 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37590.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Big Ed needs help again................... Last edited by Big Ed; 02-07-2006 at 09:25 PM.

02-08-2006, 10:03 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,946 OS: WinXP and Vista	Hey Big Ed, That entry appears to be an orphaned registry entry from the Uninstall you did a while back for Acceleration Software. As long as there is no file associated with it, it will do no harm. Have you run Spybot? It should detect that entry and fix it for you. If Spybot doesn't detect it, go to Start->Run and type in regedit and hit OK. Navigate to the following key and tell me if it is the entire key as you see listed on your system: HKEY_CLASSES_ROOT\ThreatScanner.StatusCLSID\ __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-09-2006, 01:52 PM	#3 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	Spybot scan Spybot results..which I always get and fix.... --- Search result list --- Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0 Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0 Start-> Run...shows HKEY_CLASSES_ROOT that's all

02-09-2006, 02:08 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,946 OS: WinXP and Vista	Hi Ed, Let's do a little digging. Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately): eAcceleration Acceleration Software Save the file/files and post the results here. Spybot detecting this entry...HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0 is fine. Set it up to ignore the entry as it's an issue with Spybot and the entry is correct. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-09-2006, 02:51 PM	#5 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	http://www.greyknight17.com/spy/RegSrch.vbs When I open I get a file not a scanner........... 'RegSrch.vbs - Search Registry for input string and display results. '© Bill James - wgjames@mvps.org ' revised 20 Apr 2001 (parses regfile ~3X faster) ' revised 13 Dec 2001 (added Regedit command line switch for Win2K/WindXP) Option Explicit Dim oWS : Set oWS = CreateObject("WScript.Shell") Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject") Dim sSearchFor sSearchFor = InputBox("This script will search your Registry and find all " & _ "instances of the search string you input." & vbcrlf & vbcrlf & _ "This search could take several minutes, so please be patient." & _ vbcrlf & vbcrlf & "Enter search string (case insensitive) and " & _ "click OK...", WScript.ScriptName & " " & Chr(169) & " Bill James") If sSearchFor = "" Then Cleanup() Dim StartTime : StartTime = Timer Dim sRegTmp, sOutTmp, eRegLine, iCnt, sRegKey, aRegFileLines sRegTmp = oWS.Environment("Process")("Temp") & "\RegTmp.tmp " sOutTmp = oWS.Environment("Process")("Temp") & "\sOutTmp" & _ Hour(Now) & Minute(Now) & Second(Now) & ".tmp " oWS.Run "regedit /e /a " & sRegTmp, , True '/a enables export as Ansi for WinXP With oFSO.OpenTextFile(sOutTmp, 8, True) .WriteLine("REGEDIT4" & vbcrlf & "; " & WScript.ScriptName & " " & _ Chr(169) & " Bill James" & vbcrlf & vbcrlf & "; Registry search " & _ "results for string " & Chr(34) & sSearchFor & Chr(34) & " " & Now & _ vbcrlf & vbcrlf & "; NOTE: This file will be deleted when you close " & _ "WordPad." & vbcrlf & "; You must manually save this file to a new " & _ "location if you want to refer to it again later." & vbcrlf & "; (If " & _ "you save the file with a .reg extension, you can use it to restore " & _ "any Registry changes you make to these values.)" & vbcrlf) With oFSO.GetFile(sRegTmp) aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf) End With oFSO.DeleteFile(sRegTmp) For Each eRegLine in aRegFileLines If InStr(1, eRegLine, "[", 1) > 0 Then sRegKey = eRegLine If InStr(1, eRegLine, sSearchFor, 1) > 0 Then If sRegKey <> eRegLine Then .WriteLine(vbcrlf & sRegKey) & vbcrlf & eRegLine Else .WriteLine(vbcrlf & sRegKey) End If iCnt = iCnt + 1 End If Next Erase aRegFileLines If iCnt < 1 Then oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _ vbcrlf & vbcrlf & "No instances of " & chr(34) & sSearchFor & chr(34) & _ " found.",, WScript.ScriptName & " " & Chr(169) & " Bill James", 4096 .Close oFSO.DeleteFile(sOutTmp) Cleanup() End If .Close End With oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _ vbcrlf & vbcrlf & iCnt & " instances of " & chr(34) & sSearchFor & chr(34) & _ " found." & vbcrlf & vbcrlf & "Click OK to open Results in WordPad.",, _ WScript.ScriptName & " " & Chr(169) & " Bill James", 4096 oWS.Run "WordPad " & sOutTmp, 3, True oFSO.DeleteFile(sOutTmp) Cleanup() Sub Cleanup() Set oWS = Nothing Set oFSO = Nothing WScript.Quit End Sub

02-09-2006, 03:00 PM	#6 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	in regedit Did find under HKEY_CLASSES_ROOT...themefile with subfolder ThreatScanner.StatusCLSID

02-09-2006, 08:54 PM	#8 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	I'm not running McAfee or ZoneAlarm...McAfee is turned off and I was going to load ZoneAlarm free...ran the ZoneAlarm scan and found the eacceleration thing. U lost me on the clicking....all I get is a file...no scanner. tetonbob....where u at in wyo? Last edited by Big Ed; 02-09-2006 at 08:58 PM.

02-10-2006, 08:48 AM	#10 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	vbs file OK...right double click and I clicked on open with command prompt. Scanned for both and eaccerlation found two files and clicked to open in wordpad....I have notepad...where are the wordpad files?

02-10-2006, 09:23 AM	#11 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	Backup a minute....got to thinking...went to vbs file and replaced wordpad with notepad and got the results....................... REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "eAcceleration" 2/10/2006 9:18:18 AM ; NOTE: This file will be deleted when you close NotePad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\eAcceleration] [HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\eAcceleration\Stop-Sign] Last edited by Big Ed; 02-10-2006 at 09:28 AM.

02-10-2006, 10:11 AM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,946 OS: WinXP and Vista	Hi Ed, I'm glad you got it working, good job. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Copy and paste the following bolded text into Notepad: REGEDIT 4 [-HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MenuOrder\Start Menu2\Programs\eAcceleration] [-HKEY_USERS\S-1-5-21-1151577714-2714573495-3022045986-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MenuOrder\Start Menu2\Programs\eAcceleration\Stop-Sign] After you've copied it into Notepad: look at the way \Explorer\ has 'split' like this \ Exp lorer\. Delete that space between the p and l for each entry. Now, save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. You should be all set now. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-10-2006, 10:47 AM	#13 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	lost U lost me from this point on........... Now, save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

02-10-2006, 11:15 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,578 OS: 2000 Pro; XP Pro; XP Home	I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:55 PM.

02-10-2006, 11:29 AM	#15 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	zip Did the zip....did restart...did pre-scan for ZoneAlarm Free and get eAcceleration - Adware RegistryKey - HKEY_CLASSES_ROOT\ThreatScanner.StatusCLSID\

02-10-2006, 04:21 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,578 OS: 2000 Pro; XP Pro; XP Home	I have attached a file to this post - regdel1.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. Any other issues? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:55 PM.

02-10-2006, 04:43 PM	#17 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	1zip That did it. The following spyware was detected: The Zone Labs security scanner has found no spyware on your computer. Discover other tools to protect your PC by clicking here

02-10-2006, 06:12 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,578 OS: 2000 Pro; XP Pro; XP Home	Good to hear, Big Ed. I know you've just recently had a cleaning here, so I won't post the usual closing reply. Stay safe out there. Happy Computing! PS - Do you know Wyo well? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

02-10-2006, 09:34 PM	#19 (permalink)
Big Ed I helped the forums. Join Date: Jan 2006 Posts: 58 OS: xp	I currently live in South Jordan, Utah...but went to college in Montana at Missoula.... fought fires during the summer. Got to see some of the Rocky Mountain divide country....off course real pretty around Jackson and the Teton area. I love western Montana. northern Idaho, western Wyoming....all them craggy mountains and pretty valleys. Not like those round top all vegitated humid mounds back east....I grew up and gradiated from Hi School in N.Y. on Looooong Giland from Lindenhurst H. S. .......went west ...dried out...never to return to the humididity.....E

02-10-2006, 09:46 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,578 OS: 2000 Pro; XP Pro; XP Home	LOL - I escaped from the other side of the Sound long ago, and never looked back. I'm Temporarily East of the Mississsippi, but the Rocky Mountain West is in my blood. I'll be back someday. Cheers! __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009