PDA

View Full Version : Toolbar - Seriously Needs to Go.....0_o


SpArKy
26-08-04, 09:57
For god sake i have tried for two days to get rid of this darn toolbar i have run Ad-Aware, Spybot search and destroy, Spyware Doctor. And now i have run out of ideas!
http://img.photobucket.com/albums/v305/SpArKy18/toolbar.jpg

Neteru
26-08-04, 10:33
OK Sparky. I'll ask again, after first getting rid of it, did you perform secondary scan? Sometimes this is necessary. You might like to try CWSShredder (http://www.majorgeeks.com/download4086.html) at some point. I'm not sure if this will get rid of it because I'm not exactly sure of what you have. Could you also give some details on what your scans told you it found? You will find your Spybot log in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs.

DON'T FORGET, you must disable System Restore because these nasties will be backed up. Go to Control Panel/System/System Restore tab and check to turn of and reboot. You may also find more success by performing a scan and removal when booted into Safe Mode. Press F8 during boot and select Safe Mode (without network support).

[ 26. August 2004, 11:36: Message edited by: Neteru ]

SpArKy
26-08-04, 11:22
This is my log, i think its the latest one;
24.08.2004 12:37:41 - ##### check started #####
24.08.2004 12:37:41 - ### Version: 1.3
24.08.2004 12:37:41 - ### Date: 24/08/2004 12:37:41
24.08.2004 12:37:41 - ##### checking bots #####
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:31 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Program directory
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:32 - found: CoolWWWSearch.SmallM Bad Favorite
24.08.2004 12:42:39 - found: MSN Messenger Polygamy IE extension
24.08.2004 12:42:56 - found: DSO Exploit Data source object exploit
24.08.2004 12:42:56 - found: DSO Exploit Data source object exploit
24.08.2004 12:42:56 - found: DSO Exploit Data source object exploit
24.08.2004 12:42:56 - found: DSO Exploit Data source object exploit
24.08.2004 12:42:56 - found: DSO Exploit Data source object exploit
24.08.2004 12:44:24 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: SpArKy)
24.08.2004 12:44:24 - found: C2.lop Tracking cookie (Internet Explorer: SpArKy)
24.08.2004 12:44:24 - found: Advertising.com Tracking cookie (Internet Explorer: SpArKy)
24.08.2004 12:44:24 - found: C2.lop Tracking cookie (Internet Explorer: SpArKy)
24.08.2004 12:44:24 - found: DoubleClick Tracking cookie (Internet Explorer: SpArKy)
24.08.2004 12:44:29 - ##### check finished #####

Am guessing its the search thinging :rolleyes:

Neteru
26-08-04, 12:03
In that case, CWSShredder will help you (CoolWebSearchShredder). Regarding the Avenue A., go to Spybot's Immunize page and check 'Enable permenant blocking of bad addresses in Internet Explorer' and probably select 'Block all bad pages silently' in the drop down box below that (otherwise you'll get annoyed with all the prompts you'll get asking if you want to block Avenue A.).

Incidentally, how come you are using IE again? Oh, and as you are, you need to check the ActiveX options (Control Panel/Internet Options/Security tab/Internet/click Custom Level button and set those ActiveX options that are enabled to prompt). I think you did install Spyware Blaster (updated?) and that should have taken care of it, but check anyway.

SpArKy
26-08-04, 12:13
No i am not using it, i m completely Firefox, it was my little sister that used it, its like IE was just sitting and waiting to be opened, its evil!

SpArKy
26-08-04, 12:18
My system was completely clean??? :confused:

Neteru
26-08-04, 12:19
But the screen shot is IE, and your other screen shot (Task Manager) shows several instances of IE running.

Neteru
26-08-04, 12:21
You tried CWSShredder and it was clean? Maybe you need the MiniRemoval tool for the variant. Scroll further down on the link I gave you.

SpArKy
26-08-04, 12:39
Nope hasn't been found on my system! I feel a re-install is coming, no way!

Neteru
26-08-04, 13:00
OK, I think some clarification is needed here. When you reply, please be specific. Don't just say, yes that worked, or it's gone. I need to know exactly what you have done and in what order so that I can be sure nothing is missed ok?

The toolbar is still present?

Make sure ALL browser windows are closed. Check task manager to make sure no instances of IE are running in the background.

Perform a fresh scan with Spybot S & D (having made sure you have the program updated first), and if anything is found, allow Spybot to clean, reboot and perform a second scan. Please post the details. Previous log is two days old.

Please make sure System Restore is turned off.

Run AdAware, but first make sure that you 1. Have the latest program version AdAware SE (http://www.download.com/Ad-aware-SE-Personal-Edition/3000-8022-10308605.html?tag=lst-0-1), and, 2. the latest updated reference file. Clean anything found and perform a second scan.

After these, check again to make sure there are no instances of IE running. Then run CWSShredder and select Fix.

SpArKy
27-08-04, 13:48
Hi Net sorry you know i just havent got the energy to type alot these days, and be specific, but i will try thanks! http://www.tombraiderforums.com/images/smilies/thumb.gif

And it seems the http://www.tombraiderforums.com/images/smilies/thumb.gif toolbar Has gone, it doesnt appear when i launch internet explorer, but niether does any webpages, i think its dissabled IE somehow, but i am not bothered, i dont use it anyway, i only used it for Windows Update! But i can do that Automatically now!

* Oh thanks for the link i wasnt aware of these update, i am running the programme as i type i will let you know!

[ 27. August 2004, 14:50: Message edited by: SpArKy ]

SpArKy
27-08-04, 18:58
Oh Net am going to cry, its come back, i installed SP2, and when i loaded windows up there it was accompanied by some icons and two new blue toolbars at the bottom of the screen, but they are not present on the screen shot!
http://img.photobucket.com/albums/v305/SpArKy18/icons.jpg

Neteru
27-08-04, 19:56
Again, I don't know what you have done exactly, because you will not detail. I cannot help you correctly if you do not follow my instructions to the letter and tell me EXACTLY what you have done at EVERY step. I ask this for a reason Sparky. I need to be certain that you are missing nothing. I also have something else in mind, and have done for a couple of days, but I want to try what is the simpler option first. I have to be certain this has been exhausted before moving on to the more complicated option. I might also say that the other option will require more specific detail on my part and on yours if we are to rid your system of this pest. So, follow the instructions in my previous post exactly. Make note (and I mean literally on paper if necessary) and report back to me with details of every step and action you took and the results. If it is apparently cleared on one step, still carry out all other instructions please. I cannot emphasize enough how important it is that I know exactly what you have done.

SpArKy
27-08-04, 20:22
Well....as you know i am not the best writer in the world http://www.tombraiderforums.com/images/smilies/redface.gif

But here we go, i DID follow ALL your instructions previously as above, i turned off System Restore, run Ad Aware, Spyebot search and destroy and deleted about 88 files from Ad Aware and they were all mainly from my Favourates folder, that this "Pest" has put in there also. However i did get rid of the toolbar. Everything was fine until about an hour ago when i installed SP2, i dont know how it installs itself, but it seems after installing SP2, it has refreshed itself from one of my earlier system restore points.

I say this simply because in my Firefox browser i had only just moved some Links and folders on my Link Toolbar in the browser, but after the installation of SP2, the Links were back to the place they were a few days ago!

After doing the same as before after installing SP2, and rebooted my machine (as Ad-Aware needed to, to delete a certain file) it seems the toolbar has gone, and my homepage URL has not been altered either!
The only thing left on my desktop are those icons, but a simple right click and delete "should" get rid of those, the only thing i didnt get Neteru were the Active X controls options you were talking about, i shal try them again and see what happens, but i am not worried about that as i dont use Internet Explorer anyway.

Thanks for all your help Neteru, i am not the best at explaining, but i hope the above helps in some way!

[ 27. August 2004, 21:59: Message edited by: SpArKy ]

Jenni
27-08-04, 20:40
Originally posted by SpArKy:
No i am not using it, i m completely Firefox, it was my little sister that used it, its like IE was just sitting and waiting to be opened, its evil!it is evil - I use firefox too ;)

Neteru
27-08-04, 21:03
Don't worry about not being the best writer in the world, I'm not expecting a Pulitzer Prize winning novel. :D All you have to do is confirm step by step, this is why I say make notes as you go along on a piece of paper if necessary.

I know you've done various things at various times. But what I was trying to establish was whether you did what I said in one go. Each point, one by one, one after the other. Without doing other things in between. Did you perform secondary scans?

You have said that you turned off System Restore. What concerns me is you think SP2 reinstated some things from a restore point. It couldn't have done if System Restore was turned off. Turning it off removes all previously created restore points. So if these shortcuts have appeard, something is still there.

I know this can be tiresome and inclined to make one want to http://www.tombraiderforums.com/images/smilies/c-1.gif , so, go ahead, delete the shortcuts and hope all is ok. If they come back, I would prefer you follow those instructions already posted as I've said before moving on to this other method I have in mind. Because that method might well make you want to http://www.tombraiderforums.com/images/smilies/c-1.gif http://www.tombraiderforums.com/images/smilies/c-1.gif

Regarding the ActiveX, even though you don't use IE still set them to prompt. Windows has a habit of occassionally opening IE for a link clicked rather than your default browser. Having said that, I think SP2 changes the default settings to prompt rather than the previous enabled state.

SpArKy
27-08-04, 21:14
Yes thanks i will.

Regarding the System restore point, you are right it does delete previously created points, but what if, it made one before it was installed, to be honest i dont know what has happened here regarding the install, but what i do know is, i am back to how i as several days ago, having to do all these scans etc.

I will restart and hope that the toolbar will not reappear!

Thanks!

Neteru
27-08-04, 21:24
Some of these pests are known to create their own restore points so that if you try to get rid of them they can always come back. Another reason why I needed you to follow to the letter.

SpArKy
27-08-04, 23:26
Originally posted by Neteru:
Some of these pests are known to create their own restore points so that if you try to get rid of them they can always come back. Another reason why I needed you to follow to the letter.I follwed the letter the best i could!

And yes the icons are back! With the toolbar! http://www.tombraiderforums.com/images/smilies/redface.gif

[ 28. August 2004, 00:31: Message edited by: SpArKy ]

Neteru
28-08-04, 09:51
Oh dear! What a pain eh Sparky.

OK, well then my next suggestion is HijackThis (http://www.majorgeeks.com/download.php?det=3155). You can try to follow the tutorial HERE (http://forums.majorgeeks.com/showthread.php?t=38752), but if it's too complicated for you I will help. This will require a number of repeated scans and booting into safe mode.

SpArKy
28-08-04, 12:21
Oh hold on, i think its gone!

Yes it has, i dared to open IE and it has gone, along with the Icons on the desktop http://www.tombraiderforums.com/images/smilies/c-5.gif

Oh what are the odds of that, i practically slamed my laptop lid down last night and went to bed, now its gone :confused:

Should i turn System restore back on :(

I darnt!

Yeah and sod me, who did i catch going to install some more stuff today when i got out the shower, after repeatedly saying "DO NOT INSTALL ANYTING".

My little sister :eek: , she said "Its only some Emoticons" Arghhh no i said there the worst, they Have the toolbars!

I enabed a guest account, would she have installtion privilages on this account, i carnt see any details in the User Accounts section!

Neteru
28-08-04, 12:39
OK, if you're sure it's gone. Yes you can turn Sys restore back on. You just had to turn it off to purge backups of pests. Of course, should it reappear, you'll have to turn it off again temporarily.

Regarding the account. You need to create a limited account in the User Accounts cpl in Control Panel.

The limited account is intended for someone who should be prohibited from changing most computer settings and deleting important files. A user with a limited account:

Cannot install software or hardware, but can access programs that have already been installed on the computer.
Can change his or her account picture and can also create, change, or delete his or her password.
Cannot change his or her account name or account type. A user with a computer administrator account must make these kinds of changes.

After clicking 'Create a new account' and typing in the name, click on the 'Limited account' radio button and the information appears below.

[ 28. August 2004, 13:42: Message edited by: Neteru ]

SpArKy
28-08-04, 12:53
Yes i did think as much, thanks!

Guess the guest account is **** then.

*Check your PM's!

Neteru
28-08-04, 13:22
Checked and replied, like sooo ages ago! :D

SpArKy
28-08-04, 13:38
Originally posted by Neteru:
Checked and replied, like sooo ages ago! :D Eww sowwy i get distracted and wounder off when am downloading because the connection is soooo slow and i am sooo o impatient!

SpArKy
29-08-04, 14:30
Well i have just turned system restore back on and the toolbar is back!

Neteru
29-08-04, 15:12
Originally posted by Neteru:
Make sure ALL browser windows are closed. Check task manager to make sure no instances of IE are running in the background.

Perform a fresh scan with Spybot S & D (having made sure you have the program updated first), and if anything is found, allow Spybot to clean, reboot and perform a second scan. Please post the details. Previous log is two days old.

Please make sure System Restore is turned off.

Run AdAware, but first make sure that you 1. Have the latest program version AdAware SE (http://www.download.com/Ad-aware-SE-Personal-Edition/3000-8022-10308605.html?tag=lst-0-1), and, 2. the latest updated reference file. Clean anything found and perform a second scan.

After these, check again to make sure there are no instances of IE running. Then run CWSShredder and select Fix.Slight alteration to these instructions. Try running CWSShredder first, and then follow the rest. Then run HijackThis, perform a scan and either try to work with HJT yourself, or post your HJT log and I will look through it.

SpArKy
29-08-04, 15:23
Tut huh, i will have to do it another day, i carnt be arsed right now! Am knackered, and its sodding bank holiday, so i need all my rest for tonight at work thanks Net!

*edit i swore sorry http://www.tombraiderforums.com/images/smilies/clown.gif Carnt help it!

I hate computers, dya recken its something still installed on my machine!

[ 29. August 2004, 16:28: Message edited by: SpArKy ]

SpArKy
29-08-04, 15:42
Mmmm regarding the iexplore.exe running in the background well i have just checked and there were 4 cases running.

I ended these processes but after watching the task manager closely, the processes just re emerge!

I wounder if Windwows firewall will let me block internet explorer fromming access the internet at alll!

Neteru
29-08-04, 16:46
You see this is why I asked you to follow instructions exactly and tell me exactly if you followed them, and what their results were. Because certain details change what is necessary to do. The iexplore running in the background makes some efforts to rid yourself of this pointless unless they are terminated. Now you've told me that there are in fact instances running that keep reappearing (which is why I asked you to check), what you need to do changes slightly. The first lot of instructions I gave you you need to do in Safe Mode (without network support). This means that Windows will load with basic drivers only, anything else that would normally start will be prevented from doing so. This way, you can perform all of your scans and removals and remove the entries that cause this thing to come back. You may well now find that you can really be rid of it in one go now that you have in fact established that IE does run in the background. It is most likely that it is this pest that is causing these instances because the makers know that you have to terminate all instances before you can get rid of them. You may even find that running CWSShredder alone in safe mode will be enough. But let's be safe and run the three main ones.

[ 29. August 2004, 17:49: Message edited by: Neteru ]

SpArKy
29-08-04, 17:03
Tut Net leave me alone http://www.tombraiderforums.com/images/smilies/tongue.gif

I work a lot of hours, my eyes hurt, i carnt be arsed with log files etc jeez!

I am trying, and i always follow your instruction exactly i can assure you!

Nicky
29-08-04, 21:08
Sparky, please http://www.tombraiderforums.com/images/smilies/smile.gif Net is only trying to help you ;)

SpArKy
30-08-04, 01:25
Originally posted by Nicky:
Sparky, please http://www.tombraiderforums.com/images/smilies/smile.gif Net is only trying to help you ;) Thanks Nicky i know, he knows i am only playing! http://www.tombraiderforums.com/images/smilies/wave.gif

[ 30. August 2004, 18:20: Message edited by: SpArKy ]

SpArKy
30-08-04, 17:19
Right here we go;

Entered safemode!

Run CWShredder thing, nothing found, run addon nothing found!

Run HijackThis;

Logfile of HijackThis v1.98.2
Scan saved at 17:10:31, on 30/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0809/bF8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/2Q00CPT/0809/bF7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hsuukkxisiznvilawmp.com/XGx0Dt0uMrBTOs6Ojv/9B/EW_ycXxcVSyObVM9zJddGunoly2hP6kxoggpyNNzvF.html
O2 - BHO: (no name) - {01587A25-168B-B80B-F06D-5D4A3FE38FFF} - C:\PROGRA~1\ANTIME~1\Warnamok.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A9B8F83-8B55-BC53-A654-46ACFB361733} - C:\PROGRA~1\ANTIME~1\BIND PROGRAM.exe (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SupportBows] C:\PROGRA~1\POKEDR~1\cornokay.exe
O4 - HKLM\..\Run: [Drvaudiotrayatom] C:\Documents and Settings\All Users\Application Data\01junkdrvaudio\Creative Mfcd.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hole inside find book] C:\Documents and Settings\All Users\Application Data\New Style Hole Inside\Win Thunk.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

Run SpyeWare Doctor;

--- Report generated: 2004-08-30 17:21 ---

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-2555641484-2640380759-1022045130-500\Software\Microsoft\Windows\CurrentVersion\Inte rnet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3

--- Spybot - Search && Destroy version: 1.3 ---
2004-08-11 Includes\Cookies.sbi
2004-08-20 Includes\Dialer.sbi
2004-08-20 Includes\Hijackers.sbi
2004-08-20 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-08-20 Includes\Malware.sbi
2004-08-12 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-20 Includes\Spybots.sbi
2004-08-12 Includes\Tracks.uti
2004-08-20 Includes\Trojans.sbi

Also Run Spybloc!

Scan initialized on 30/08/2004 17:26:45
========================================

Started memory scan
====================
Running processes:
1: \SystemRoot\System32\smss.exe
2: \??\C:\WINDOWS\system32\winlogon.exe
3: C:\WINDOWS\system32\services.exe
4: C:\WINDOWS\system32\lsass.exe
5: C:\WINDOWS\system32\svchost.exe
6: C:\WINDOWS\system32\svchost.exe
7: C:\WINDOWS\Explorer.EXE
8: C:\Program Files\Spyware Doctor\spydoctor.exe
9: C:\Program Files\SpyBlocs\SpyBlocs.exe

Memory scan result:
Total modules found:9
Suspicious modules found: 0

Started registry scan
====================
Real Spy Monitor Trial Version
Spy - SEVERE
Real Spy Monitor Trial Version
Spy - SEVERE
Real Spy Monitor Trial Version
Spy - SEVERE
Real Spy Monitor Trial Version
Spy - SEVERE
Registry scan result:
Suspicious keys found: 4

Started folder scan
====================
Sqwire Trial Version
Spyware - SEVERE

BDE Trial Version
Adware - SEVERE

BDE Trial Version
Adware - SEVERE

Folder scan result:
Folder processed: 0
Suspicious folders found: 2

Started file scan
====================

File scan result:
Suspicious files found: 1

Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 4
Suspicious folders found: 2
Suspicious files found: 1
====================

Components ignored:0
Total components found:7

I could not delete what was found above, as i only have the trial version!

The order as in which the Logs are posted, is the order as in which i performed them and system restore was and still is turned off!

All programmes are also up-to-date.

Upon restart, i run Ad - Aware because for some reason it wasnt in the "All Programmes" section in safe mode, not suprisingly i got over 88 ad aware found;

Lavasoft Ad-Aware Personal Build 1.03
Logfile created on:30 August 2004 17:54:15
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R5 22.08.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Lop(TAC index:7):88 total references
MRU List(TAC index:0):22 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects

30-08-2004 17:54:15 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\windows\currentversion\exp lorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\windows\currentversion\exp lorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\windows\currentversion\exp lorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\windows\currentversion\exp lorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\realnetworks\realplayer\6.0\preferen ces
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplicatio n
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\jasc\paint shop pro 8\recent file list
Description : list of recently used files in jasc paint shop pro

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\directinput\mostrecentappl ication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\direct3d\mostrecentapplica tion
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\realnetworks\realplayer\6.0\preferen ces
Description : list of recent clips in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\directinput\mostrecentappl ication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\direct3d\mostrecentapplica tion
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history

MRU List Object Recognized!
Location: : S-1-5-21-2555641484-2640380759-1022045130-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : C:\Documents and Settings\SpArKy\recent
Description : list of recently opened documents

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 548
ThreadCreationTime : 30-08-2004 16:44:15
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 624
ThreadCreationTime : 30-08-2004 16:44:18
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 648
ThreadCreationTime : 30-08-2004 16:44:20
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 30-08-2004 16:44:20
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 704
ThreadCreationTime : 30-08-2004 16:44:20
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 896
ThreadCreationTime : 30-08-2004 16:44:21
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 992
ThreadCreationTime : 30-08-2004 16:44:21
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1084
ThreadCreationTime : 30-08-2004 16:44:21
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1136
ThreadCreationTime : 30-08-2004 16:44:21
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1180
ThreadCreationTime : 30-08-2004 16:44:22
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1672
ThreadCreationTime : 30-08-2004 16:44:24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1720
ThreadCreationTime : 30-08-2004 16:44:24
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [carpserv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1836
ThreadCreationTime : 30-08-2004 16:44:25
BasePriority : Normal
FileVersion : 6.02.05
ProductVersion : 6.02.05
ProductName : SoftK56 Modem Driver
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc. 2003
OriginalFilename : carpserv.exe

#:14 [onetouch.exe]
FilePath : C:\PROGRA~1\HPQ\ONE-TO~1\
ProcessID : 1876
ThreadCreationTime : 30-08-2004 16:44:26
BasePriority : Normal
FileVersion : 1.6.3.0
ProductVersion : 1.6.3.0
ProductName : Dritek System Inc. OneTouch 10.05.2002 ( VC60 )
CompanyName : Dritek System Inc.
FileDescription : One-Touch
InternalName : OneTouch
LegalCopyright : Copyright © 2002 Dritek System Inc.
OriginalFilename : OneTouch.exe

#:15 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ProcessID : 1888
ThreadCreationTime : 30-08-2004 16:44:26
BasePriority : Normal
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
LegalCopyright : Copyright © 2003 GRISOFT s.r.o.
OriginalFilename : AvgCC32.EXE

#:16 [msgplus.exe]
FilePath : C:\Program Files\Messenger Plus! 3\
ProcessID : 1920
ThreadCreationTime : 30-08-2004 16:44:26
BasePriority : Normal

#:17 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 1936
ThreadCreationTime : 30-08-2004 16:44:26
BasePriority : Normal
FileVersion : 1.04.07a
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2003 Sonic Solutions

#:18 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2000
ThreadCreationTime : 30-08-2004 16:44:27
BasePriority : Normal
FileVersion : 4.7.3000
ProductVersion : Version 4.7.3000
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:19 [spydoctor.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 2012
ThreadCreationTime : 30-08-2004 16:44:27
BasePriority : Normal
FileVersion : 2.1.0.254
ProductVersion : 2.0
ProductName : Spyware Doctor
CompanyName : PCTools
OriginalFilename : spydoctor.exe

#:20 [iexplore.exe]
FilePath : c:\progra~1\intern~1\
ProcessID : 2016
ThreadCreationTime : 30-08-2004 16:44:27
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:21 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ProcessID : 136
ThreadCreationTime : 30-08-2004 16:44:27
BasePriority : Normal
FileVersion : 1.8.1
ProductVersion : 1, 8, 1, 0
ProductName : WinCinema Manager for InterVideo WinCinema products
CompanyName : InterVideo Inc.
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
LegalCopyright : Copyright 1999-2003 InterVideo, Inc. All rights reserved.
OriginalFilename : WinCinemaMgr.EXE

#:22 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 252
ThreadCreationTime : 30-08-2004 16:44:29
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

Lop Object Recognized!
Type : Process
Data : winthu~1.exe
Category : Data Miner
Comment :
Object : c:\docume~1\alluse~1\applic~1\newsty~1\

Warning! Lop Object found in memory(c:\docume~1\alluse~1\applic~1\newsty~1\wint hu~1.exe)

"c:\docume~1\alluse~1\applic~1\newsty~1\winthu~1.ex e"Process terminated successfully
"C:\Program Files\Internet Explorer\iexplore.exe"Process terminated successfully

#:23 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ProcessID : 496
ThreadCreationTime : 30-08-2004 16:44:32
BasePriority : Normal
FileVersion : 6.0.1.696
ProductVersion : 6.0.1.696
ProductName : AVG6
CompanyName : GRISOFT s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
LegalCopyright : Copyright (c) GRISOFT 1998-2004
OriginalFilename : AvgServ

#:24 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 524
ThreadCreationTime : 30-08-2004 16:44:32
BasePriority : Normal
FileVersion : 4.20.030
ProductVersion : 4.20.030 Windows NT 2002/01/29
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright (c) 1998-2003 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:25 [hpconfig.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 30-08-2004 16:44:35
BasePriority : Normal
FileVersion : 3, 0, 1, 8
ProductVersion : 3, 0, 1, 8
ProductName : HPConfig Module
CompanyName : Hewlett-Packard
FileDescription : HPConfig Module
InternalName : HPConfig
LegalCopyright : Hewlett-Packard Copyright (C) 1999-2002
OriginalFilename : HPConfig.EXE
Comments : HP Configuration Interface Service

#:26 [hpwirelessmgr.exe]
FilePath : C:\Program Files\HPQ\Notebook Utilities\
ProcessID : 824
ThreadCreationTime : 30-08-2004 16:44:36
BasePriority : Normal
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
ProductName : HPWirelessMgr Module
CompanyName : Hewlett-Packard Co.
FileDescription : HPWirelessMgr Module
InternalName : HPWirelessMgr
LegalCopyright : Hewlett-Packard Copyright 2002
OriginalFilename : HPWirelessMgr.EXE
Comments : HP Wireless On/Off Button Service

#:27 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2212
ThreadCreationTime : 30-08-2004 16:44:48
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:28 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 2572
ThreadCreationTime : 30-08-2004 16:45:26
BasePriority : Normal

#:29 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2664
ThreadCreationTime : 30-08-2004 16:45:38
BasePriority : Normal
FileVersion : 6.2.0.162
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 23

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Deep scanning and examining files (L:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for L:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 23

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Lop Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ Computers

Lop Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ Cool Stuff

Lop Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ Internet

Lop Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ Online Gaming

Lop Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ Shopping Gifts

Lop Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ Travel

Lop Object Recognized!
Type : File
Data : Antivirus.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Communication Technology.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Computer Jobs .url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Computer Programming.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Domain Hosting.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Dvd.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Hosting.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Inkjet Cartridge.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Instant Messenger.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Internet.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Working From Home.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ computers\

Lop Object Recognized!
Type : File
Data : Domain Registrations.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Firewall.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Flowers.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Free Long Distance.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Hosting.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Internet Business.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Investing Money.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Jokes.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Newsgroup.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Online Football Games.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Online Gaming.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Spyware.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Starting A Business.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Web Marketing.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ internet\

Lop Object Recognized!
Type : File
Data : Bingo.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Black Jack Poker.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Casino Online.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : ****s.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Gamble.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Jackpot.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Roulette Gambling.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Slots.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Sport Betting.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Sport Book.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Time Cards.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ online gaming\

Lop Object Recognized!
Type : File
Data : Birthday Gift.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Cellular.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Christmas Gift.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Corporate Gift.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Digital Cameras.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Dress Fashion.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : DVD Players.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Gift Basket.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Jewelry.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Leather Jackets.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Perfume.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Sexy Lingerie.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Shoes.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Smoke Shop.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Underwear.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Video Surveillance.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Watches.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Wedding Gifts.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Wine Gifts.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Womens Clothing.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ shopping gifts\

Lop Object Recognized!
Type : File
Data : Air Travel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Cancun vacation.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Car Rental.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Cruises.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Discount Travel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Europe Travel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Family Vacation.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Hawaii Travel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Hotels.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Las Vegas Hotel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : London Hotel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : New York.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Orlando Hotel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Resort.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Skiing.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Timeshare.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Travel Agent.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Travel Insurance.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Vacation.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : World Travel.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\ travel\

Lop Object Recognized!
Type : File
Data : Casino Online.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\

Lop Object Recognized!
Type : File
Data : Computers.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\

Lop Object Recognized!
Type : File
Data : Games.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\

Lop Object Recognized!
Type : File
Data : Movie.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\

Lop Object Recognized!
Type : File
Data : Web Hosting.url
Category : Malware
Comment :
Object : C:\Documents and Settings\SpArKy\Favorites\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 87
Objects found so far: 110

18:09:53 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:15:38.240
Objects scanned:114780
Objects identified:88
Objects ignored:0
New critical objects:88

There was 2 iexplore.exe running in the background i managed to close one, but the other would not shut down, i clicked "end task" and nothing appened to the programme!

SpArKy
30-08-04, 17:24
Am off in the bath am knackered after that, see you in about an hour http://www.tombraiderforums.com/images/smilies/c-1.gif

Neteru
30-08-04, 21:12
An hour? LOL, as you can see, I've spend more time than that doing my http://www.tombraiderforums.com/images/smilies/privateeye.gif :D

Now then. First things first. You have installed Spyware Doctor and Spybloc. These programs are considered as 'rogue', merely designed get you to part with your money. Best advice: uninstall them. You can learn a little more about these and other rogue programs HERE (http://www.netrn.net/archives2/000627.html).

The MRU lists referenced by Ad-Aware, are your 'Most Recently Used' lists maintained by the system and programs. They are generally nothing to worry about. Ad-Aware and other programs pick up MRU lists because they are a privacy concern. It is ok to let Ad-Aware clean these. In fact I think it's preferable myself. There are two references to Real Player. I recall before your recent reinstallation of Windows you decided to uninstall Real Player because I advised you that it has a history of 'phoning home'. When you reinstall Windows, the program is installed again. Uninstall the program if you want, your choice.

Once you've dealt with that I think you can turn on System Restore.

Now to HijackThis. Before we do anything, there are some things you need to do:

Go to Control Panel/Folder Options/View tab. Scroll down and check the following radio button;

Hidden files and folders/Show hidden files and folders

Scroll further down and UNcheck the following;

Hide extensions for known file types
Hide protected operating system files

At the top of the tab click the Apply to All Folders button, then click Apply and OK at the bottom.

Having done that you must place HijackThis.exe in it's own Program Files folder. You currently have it in a temporary directory. This is so it can make backup's before fixing. So simply create a folder for it in Program Files, place the exe inside and create a shortcut on your desktop for it by Right clicking the exe and dragging to the desktop, releasing the mouse button, and selecting Create Shortcuts Here from the context menu that appears.

When that is done, I would prefer you to boot into Safe Mode. Having done so, perform a scan with HijackThis and select the following entries for removal:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.hsuukkxisiznvilawmp.com/XGx0Dt0uMrBTOs6Ojv/9B/EW_ycXxcVSyObVM9zJddGunoly2hP6kxoggpyNNzvF.html
O4 - HKLM\..\Run: [Drvaudiotrayatom] C:\Documents and Settings\All Users\Application Data\01junkdrvaudio\Creative Mfcd.exe
O4 - HKLM\..\Run: [hole inside find book] C:\Documents and Settings\All Users\Application Data\New Style Hole Inside\Win Thunk.exe
O2 - BHO: (no name) - {01587A25-168B-B80B-F06D-5D4A3FE38FFF} - C:\PROGRA~1\ANTIME~1\Warnamok.exe
O2 - BHO: (no name) - {5A9B8F83-8B55-BC53-A654-46ACFB361733} - C:\PROGRA~1\ANTIME~1\BIND PROGRAM.exe (file missing)

The next entry looks suspicious to me:

O4 - HKLM\..\Run: [SupportBows] C:\PROGRA~1\POKEDR~1\cornokay.exe

If you recognise this as ok, then leave it. If you don't recognise it, also check it for removing. You can look further into this to see if you do recognise it, by navigating to the folder it is contained within C:\PROGRA~1\POKEDR~1 (Note: these are the DOS names for folders on your hard drive. PROGRA~1 is Program Files). If you can't find this directory on your hard drive, perform a search on the executable contained in the folder: cornokay.exe

The following entries are fine, but unnecessary. You can check them for removal if you want:

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

These last two are buttons that appear in IE for you to launch Windows Messenger, in case you wondered.

Having all items checked, click Fix. When HijackThis is done, Reboot and when Windows has loaded, navigate to the following folders;

C:\Documents and Settings\All Users\Application Data\01junkdrvaudio and delete if found.

C:\Documents and Settings\All Users\Application Data\New Style Hole Inside and delete if found.

C:\PROGRA~1\ANTIME~1 and delete if found.

If you decideded to remove the following listing with HijackThis, then navigate to;

C:\PROGRA~1\POKEDR~1 and delete if found.

Also probably a good idea to delete the contents only, not the folder C:\Documents and Settings\*****\Local Settings\Temp *Where ***** is the name of your user account.

Then run HijackThis again and post your fresh log. (HijackThis only.)

Simulation
30-08-04, 21:54
Evening Sparky, Neteru http://www.tombraiderforums.com/images/smilies/wave.gif

Can I make one suggestion.

Go to the IE Internet Options... (Tools menu)

Click on Settings.... (Temporary Internet files)

Click on View Objects....

You will see an explorer displaying the installed objects. Most are legitimate programs such as Java, Update Class etc. but some may be adware.

If you are not sure, right mouse click on the file and select Properties from the context menu. If you still don't recognise the program, then I suggest you right mouse click on the file again and select remove.

SpArKy
30-08-04, 22:12
Hi thanks guys, i dont have time right to do the removals Net i willl do them Thursday if i get chance!

Regarding the first removal i took an educated guess and deleted the search bar one anyway using Hijack this ;)

I should go to bed now am up at 7 to take the stock and do my celler duties at the bar, so thanks and see ya soon http://www.tombraiderforums.com/images/smilies/wave.gif

Neteru
30-08-04, 23:14
Hi again Sim http://www.tombraiderforums.com/images/smilies/wave.gif

If you look at the items beginning O16 in Sparky's HJT log, they are the items in his Downloaded Program Files folder, and they're ok. They can be deleted, but they're no harm which is why I didn't mention them. But it wouldn't hurt to double check by the method you mention.

Okees Sparky. http://www.tombraiderforums.com/images/smilies/smile.gif [EDIT]Damn, with such extensive logs, I knew it was inevitable I would forget something. I meant to say that the other search entries under R01, R02 I thought you'd recognize as they are I think connected with your laptop?

Have a good sleep both of you.

[ 31. August 2004, 00:21: Message edited by: Neteru ]

SpArKy
31-08-04, 17:35
Hi am back, such a long day got finished about 12:30 at the bar, i am not even joking when say i moved well over 100 crate and 20 bear kegs this morning, then i was at the factory 2-6!

So i might not attempt the above just yet, i am not thinking clearly and my eyes are stinging again http://www.tombraiderforums.com/images/smilies/yikes.gif

So to bed for an hour and out on the razzle it is!

Thanks!

SpArKy
01-09-04, 16:38
I have done all the above, and look what i found;
http://myweb.tiscali.co.uk/simulation/Pictures/OMG.jpg

Simulation - Original server did not allow hotlink.

[ 01. September 2004, 19:36: Message edited by: Simulation ]

Simulation
01-09-04, 18:49
Not pretty..........

http://www.tombraiderforums.com/images/smilies/c-1.gif

Where is this folder located?

My guess is that there is a program in your start up that automatically checks to see if those duff programs have been removed and reinstalls them automatically.

Try this. Start Menu, Run and type MSCONFIG then press OK. The System Utility Program will start.
Go onto the last tab called Starup. It will list all the programs that are automatically started by the system. Go down the list and see if there are any programs that you do not recognise and in particular and that run from the folder you have just found.

Let me know what you find. http://www.tombraiderforums.com/images/smilies/wave.gif

P.S. May not be back until later or tomorrow. I'm off to see I Robot this evening. http://www.tombraiderforums.com/images/smilies/smile.gif

SpArKy
01-09-04, 19:04
Ok thanks sim, no its not good i agree, and there is some programmes i dont recognise, what a bugger hey!

It is Cornokay.exe that was starting up, my god i have had some trouble with this one, but hopefully it will work, now i have deleted that folder and also unchecked the programme!

Simulation
01-09-04, 19:20
OK. See if that works first. If it appears OK it would be best to edit the registry and remove the offending entries.

Let us know how it goes and we will cross that bridge later. http://www.tombraiderforums.com/images/smilies/wave.gif

SpArKy
01-09-04, 20:06
Everything seems to be ok, but because i have modified that thing you said earlier, i keep getting a pop up telling me to undo the changes or something!

Joseph
01-09-04, 20:13
ör something"... we do not talk that way here, you have to be more precise, otherwise we cannot help, as you should know by now. ;)

SpArKy
01-09-04, 20:22
Originally posted by joseph:
ör something"... we do not talk that way here, you have to be more precise, otherwise we cannot help, as you should know by now. ;) LOL, i carnt remember http://www.tombraiderforums.com/images/smilies/clown.gif

I'll reboot and show you a screeny!

http://img.photobucket.com/albums/v305/SpArKy18/changes.jpg

[ 01. September 2004, 21:29: Message edited by: SpArKy ]

SpArKy
01-09-04, 20:36
Also while i am here, do you have any idea why my my icons have gone all wrong?
http://img.photobucket.com/albums/v305/SpArKy18/offset.jpg

And also when i open My computer then select My docuents or another link from the left hand side of the microsoft window, the window crashes :confused:

Simulation
01-09-04, 23:19
Hi Sparky,

MSCONFIG.EXE is a diagnostic tool, so it is warning you that you have made changes to the standard start up condition. Switching off programs in the startup tab is only temporary solution to help cure problems. Once the problem has been found a proper solution needs to be taken. Then MSCONFIG has an option on the General tab to go back to Normal Startup.

Anyway. Can list the names of the Startup Items and the command line for the ones you have disabled?

Are the drives you have circled real drives? Have you tried pressing F5 to refresh the browser?

[ 02. September 2004, 00:20: Message edited by: Simulation ]

SpArKy
02-09-04, 00:16
For a split second you see the icons, then they dissapear. Yes the top one is a USB memory stick and the bottom, are all from a card reader, for cameras etc.