View Full Version : Starware Infection. Help please!
JimboMac
2006-06-08, 00:39
Hello. I am brand new to this, and have a Starware infection which all usual sources are neither detecting nor removing, including Spybot, AdAware, Ewido, Microsoft Malware Removal Tool or Ntl Netguard. I am getting popups and redirection of homepage, and intermittent IE failure. My computer has also slowed down noticeably. I would appreciate any advice/assistance. Ta.
I am in Scotland, if that is of the slightest interest!
pskelley
2006-06-08, 04:54
Hello and welcome to the forum. Please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned information, the answer you are looking for may be there.
http://forums.spybot.info/showthread.php?t=425
http://forums.spybot.info/showthread.php?t=288
Thanks...pskelley
Safer Networking Forums
JimboMac
2006-06-08, 23:24
Thanks for the prompt reply. Sorry to be so dense, but I don't understand 'Pinned'. Where should I be looking?
I have followed the 2 links. They seem to be asking me to check if I have installed Windows XP SP2 - I have, and use Automatic Update setting, so I think that is ok. I have previously run Spybot in Safe Mode, but still have the Starware infection. Should I now run the HijackThis log and should I post it in this thread or start a new one? I really appreciate your help.
pskelley
2006-06-09, 00:17
Right you are, this is where you started, posted the first time:
http://forums.spybot.info/forumdisplay.php?f=22 Return there to see the pinned (Sticky in this case) information. Once you have completed the instructions in this link:
http://forums.spybot.info/showthread.php?t=288 that apply to you, then post the HJT log. We need that information to begin. Stay in this same thread and I wil get a notification when you post.
Thanks...Phil
JimboMac
2006-06-11, 00:12
Thanks Phil. I hope I have done as instructed and here is the HiJack This log. Due to size, the Panda Scan log will be a seperate post. I hope this is what you need. I have also done another Spybot Scan in Safe mode, but it only picked up some cookies.
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 22:03:53, on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Anti Spyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [71a680qf] C:\Program Files\71a680qf\71a680qf.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [BIND BIRD HEART DASH] C:\Documents and Settings\All Users\Application Data\BOOK EGGS BIND BIRD\rdr poke.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\ntl\ntl Netguard\IdxClnR.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\ntl\ntl Netguard\IdxClnR.exe"
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://support.fujitsu-siemens.com
O16 - DPF: PCPitstop-Tracks-Checker - http://www1.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145905508062
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
JimboMac
2006-06-11, 00:14
And the Panda Scan log:
And the Panda Scan log:
Incident Status Location
Adware:adware/wupd Not disinfected c:\windows\downloaded program files\activex.inf
Adware:adware/look2me Not disinfected c:\windows\downloaded program files\activex.ocx
Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\Install.inf
Spyware:spyware/new.net Not disinfected Windows Registry
Potentially unwanted tool:application/errorsafe Not disinfected hkey_local_machine\software\Error Safe Free
Adware:adware/sidesearch Not disinfected Windows Registry
Potentially unwanted tool:application/spyaxe Not disinfected hkey_local_machine\software\SpyAxe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\BOOK EGGS BIND BIRD\lies mpeg.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\BOOK EGGS BIND BIRD\rdr poke.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Jim\Cookies\jim@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Jim\Cookies\jim@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jim\Cookies\jim@ad.yieldmanager[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jim\Cookies\jim@as-eu.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jim\Cookies\jim@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jim\Cookies\jim@casalemedia[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Jim\Cookies\jim@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jim\Cookies\jim@doubleclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Jim\Cookies\jim@i.screensavers[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\Jim\Cookies\jim@lop[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jim\Cookies\jim@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jim\Cookies\jim@microsofteup.112.2o7[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Jim\Cookies\jim@offeroptimizer[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Jim\Cookies\jim@tradedoubler[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jim\Cookies\jim@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jim\Cookies\jim@zedo[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Laura\Cookies\laura@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Laura\Cookies\laura@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Laura\Cookies\laura@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Laura\Cookies\laura@kount[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Laura\Cookies\laura@offeroptimizer[1].txt
Spyware:Cookie/MyGeek Not disinfected C:\Documents and Settings\Laura\Cookies\laura@partners.mygeek[1].txt
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\Laura\Cookies\laura@servlet[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Laura\Cookies\laura@toplist[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Laura\Cookies\laura@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Laura\Cookies\laura@xmts[1].txt
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\71a680qf\ybstjhka.DLL
pskelley
2006-06-11, 01:59
OK and thanks for the feedback, it really helps to have it. Before I start I need to make sure you are running only one antivirus program. I see eTrust Internet Security Suite and ntl Netguard. If I am wrong that is fine, but this is what Symantec:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206 and Microsoft say about this:
"Microsoft recommends that you have only one anti-virus program installed on your computer."
This program > C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe I suggest you remove it, I just do not trust it and can give you much better free programs.
You also have remnants of a LOP/C2 Media infection, let's hope we can remove the balance manually.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [71a680qf] C:\Program Files\71a680qf\71a680qf.exe
ClearSearch
O4 - HKLM\..\Run: C:\Documents and Settings\All Users\Application Data\BOOK EGGS BIND BIRD\rdr poke.exe
LOP/C2Media
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\71a680qf\ <<< folder
C:\Documents and Settings\All Users\Application Data\BOOK EGGS BIND BIRD\ <<< folder
C:\Program Files\Enigma Software Group\ <<< folder
C:\Windows\Prefetch\ >>> delete the contents ([B]NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
You have ewido open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.
Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. How is the computer running now.
Thanks...Phil
JimboMac
2006-06-11, 22:36
Hello again Phil. I am pretty sure I'm not running eTrust Pest Patrol. I've tried to delete it in Add/Remove programs, but it tells me I have insufficient priveleges and to log on as Admonistrator; I am, of course, an Administrator. Any advice? Also, I can't find Spyhunter in Add/Remove or in the All Programs list. I'll carry out the other instructions and post them shortly. Ta. Jim
pskelley
2006-06-11, 22:52
OK Jim, finish with the instructions and we will remove the rest manually.
I am pretty sure I'm not running eTrust Pest Patrol
Jim, you have to be positive, and tell me you want it removed, pretty sure will not do it.
Thanks...Phil
JimboMac
2006-06-12, 00:14
Hi Phil. I meant I'm not sure it's running - cos I'm a bit dim; but yes I definitely want to remove it. Here's the Ewido log, and the Hijack This will follow.
The folder C:\Documents and Settings\All Users\Application Data\BOOK EGGS BIND BIRD\ could not be removed. I got an error message:
Cannot delete DartHeckStop. It is being used by another person or program. Of course, it was not!
I also ran both the Cleaner and Issues function of CCleaner, and backed up the Registry Changes. Hope that was ok. I have noticed at restart that a lot of crap that had invaded the Favourites menu in IE have gone. Finally, when closing, I am getting a brief 'End Program' message that a program called UiPopUpHidden is not closing, but the message disappears before I can take any action.
HiJackThis log to follow. Thanks again.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 21:57:12, 11/06/2006
+ Report-Checksum: 4692BA6A
+ Scan result:
No infected objects found.
::Report End
JimboMac
2006-06-12, 00:20
Phil. I meant I wasn't sure if I was running the program - cos I'm a bit dim - but I certainly do want to remove it.
I couldn't delete the BOOK EGGS BIND BIRD folder; the error message told me DartHeckStop was in use by another person or program; it wasn't.
I also ran the Cleaner and Issues functions and backed up the Registry Changes. trust this was what you meant
I have also noted that, on closing down windows, I am seeing a brief flash of an End Program message which refers to UiPopUpHidden. It closes without any action from me.
I attach the Ewido scan and will post the Hijack This log shortly.
Many Thanks
Jim
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 21:57:12, 11/06/2006
+ Report-Checksum: 4692BA6A
+ Scan result:
No infected objects found.
::Report End
JimboMac
2006-06-12, 00:23
Phil
Here's the Hijack This log.
My computer seems to be running a good bit faster now; IE is certainly loading faster. I cannot thank you enough for your efforts to date and will await your further advice. Jim
Logfile of HijackThis v1.99.1
Scan saved at 22:21:07, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Anti Spyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\ntl\ntl Netguard\IdxClnR.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\ntl\ntl Netguard\IdxClnR.exe"
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://support.fujitsu-siemens.com
O16 - DPF: PCPitstop-Tracks-Checker - http://www1.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145905508062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
pskelley
2006-06-12, 18:13
Hi Jim, thanks for the feedback. It looks like the LOP item is gone, probably removed by HJT. If you ever run into a a situsation where you can not delete a file that you know is bad, do it in safe mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Looking at your last log with the understanding that you want the remnants of: eTrust Internet Security Suite removed from the computer. If this is not the case, stop and make me aware.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\CA\ <<< delete the folder
if you can't see the folder, you may have to enabled hidden files:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html <<< instructions
That should take care of the issue, since your HJT log is clean,
here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here are suggestions that may help your computer to run better:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
JimboMac
2006-06-13, 14:49
Phil. System certainly much better now - no popups today!
I am about to work my way through the rest of the priceless - literally! - advice. I cannot thank you enough for your efforts. f you ever come to Scotland, I'll buy you a large Scotch, with pleasure!
Jim
pskelley
2006-06-13, 16:17
Thanks Jim, I am looking at flights now:laugh:
You stay safe now:bigthumb:
:laugh:
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help. :)