Options
ad pop ups - suspected urqqp.dll - politik
Howdy guys. First let me say hats off to you guys and what you do. DIY at it's finest.
So I'm getting pop ups like "Your computer has been infected by the Beagle Virus" and I get adds for the product "SystemProtect" (? spelling may be off). If I close any of the ads it spawns even more. My temporary fix has been just to leave the inital window alone and work around it but my system is running slow. I've actually had this problem for a while, but I've been lurking thru other threads and following the suggestions hoping I could lick this on my own but now I need the help of pros. I previously had the virtumondo.c virus but I followed suggestions posted and i was virus free for a bit. but this is a new round of ads.
Here are the products I have installed and used so far:
HiJackThis
Ad-Aware SE Personal
CCleaner
SpyWare S&D
SpywareBlaster
Windows Defender
Also did the suggested Panda online scan too. All products don't detect anything known. Internet searches for urqqp don't give me anything useful and it wasn't in the HiJackThis database. I think these are the culprits:
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINNT\system32\urqqp.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINNT\system32\fcccc.dll
Registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqqp
searching the registry for fcccc.dll doesn't find anything
O20 - Winlogon Notify: fcccc - C:\WINNT\system32\fcccc.dll
O20 - Winlogon Notify: urqqp - C:\WINNT\SYSTEM32\urqqp.dll
HiJackThis fixes both but they keep coming back. I searched the registry and delete everything for urqqp but it comes back. Maybe some of the products I'm using are preventing my registry changes from sticking ? I humbly submit my HiJackThis log to the sypware gods for assistance. Thanks in advance. Again you guys RULE !!!!
Logfile of HijackThis v1.99.1
Scan saved at 7:58:23 PM, on 4/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\DASTAR\EZTIME~1\EZTimeSync.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Terminator\Quick TV\Scheduled.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\Administrator\Desktop\Spyware Apps\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINNT\system32\urqqp.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINNT\system32\fcccc.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelligentStick] c:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe sys_auto_run C:\Program Files\Intelligent Stick Manager 2 Tools2.7
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EZTimeSync] C:\PROGRA~1\DASTAR\EZTIME~1\EZTimeSync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Quick TV Agent] C:\Program Files\Terminator\Quick TV\Scheduled.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: fcccc - C:\WINNT\system32\fcccc.dll
O20 - Winlogon Notify: urqqp - C:\WINNT\SYSTEM32\urqqp.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
So I'm getting pop ups like "Your computer has been infected by the Beagle Virus" and I get adds for the product "SystemProtect" (? spelling may be off). If I close any of the ads it spawns even more. My temporary fix has been just to leave the inital window alone and work around it but my system is running slow. I've actually had this problem for a while, but I've been lurking thru other threads and following the suggestions hoping I could lick this on my own but now I need the help of pros. I previously had the virtumondo.c virus but I followed suggestions posted and i was virus free for a bit. but this is a new round of ads.
Here are the products I have installed and used so far:
HiJackThis
Ad-Aware SE Personal
CCleaner
SpyWare S&D
SpywareBlaster
Windows Defender
Also did the suggested Panda online scan too. All products don't detect anything known. Internet searches for urqqp don't give me anything useful and it wasn't in the HiJackThis database. I think these are the culprits:
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINNT\system32\urqqp.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINNT\system32\fcccc.dll
Registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqqp
searching the registry for fcccc.dll doesn't find anything
O20 - Winlogon Notify: fcccc - C:\WINNT\system32\fcccc.dll
O20 - Winlogon Notify: urqqp - C:\WINNT\SYSTEM32\urqqp.dll
HiJackThis fixes both but they keep coming back. I searched the registry and delete everything for urqqp but it comes back. Maybe some of the products I'm using are preventing my registry changes from sticking ? I humbly submit my HiJackThis log to the sypware gods for assistance. Thanks in advance. Again you guys RULE !!!!
Logfile of HijackThis v1.99.1
Scan saved at 7:58:23 PM, on 4/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\DASTAR\EZTIME~1\EZTimeSync.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Terminator\Quick TV\Scheduled.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\Administrator\Desktop\Spyware Apps\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINNT\system32\urqqp.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINNT\system32\fcccc.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelligentStick] c:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe sys_auto_run C:\Program Files\Intelligent Stick Manager 2 Tools2.7
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EZTimeSync] C:\PROGRA~1\DASTAR\EZTIME~1\EZTimeSync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Quick TV Agent] C:\Program Files\Terminator\Quick TV\Scheduled.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: fcccc - C:\WINNT\system32\fcccc.dll
O20 - Winlogon Notify: urqqp - C:\WINNT\SYSTEM32\urqqp.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
0
Comments
You have the latest version of the Vundo infection.
Please download VundoFix.exe to your desktop.
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - (no file)
O2 - BHO: (no name) - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - (no file)
these were the entries associated with fcccc.dll and uppq.dll but since there is no longer a file associated with them, is it ok ?
Also how do I protect from future infections ? I downloaded all the recommended apps I saw in other threads and I followed the suggestions for IE settings but somehow I'm still getting infected.
New logs:
VundoFix V4.2.57
Checking Java version...
Scan started at 11:39:56 PM 4/8/2006
Listing files found while scanning....
C:\WINNT\system32\urqqp.dll
C:\WINNT\system32\fcccc.dll
C:\WINNT\system32\ccccf.ini
C:\WINNT\system32\ccccf.bak1
C:\WINNT\system32\ccccf.bak2
C:\WINNT\system32\ssvyb.bak1
C:\WINNT\system32\ssvyb.bak2
C:\WINNT\system32\ssvyb.ini
C:\WINNT\system32\ssvyb.ini2
C:\WINNT\system32\ccccf.bak1
C:\WINNT\system32\ccccf.bak2
C:\WINNT\system32\ccccf.ini
C:\WINNT\system32\fcccc.dll
C:\WINNT\system32\ssvyb.ini2
C:\WINNT\system32\ssvyb.bak2
C:\WINNT\system32\ssvyb.ini
C:\WINNT\system32\ssvyb.ini2
Attempting to delete C:\WINNT\system32\urqqp.dll
C:\WINNT\system32\urqqp.dll Has been deleted!
Attempting to delete C:\WINNT\system32\fcccc.dll
C:\WINNT\system32\fcccc.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ccccf.ini
C:\WINNT\system32\ccccf.ini Has been deleted!
Attempting to delete C:\WINNT\system32\ccccf.bak1
C:\WINNT\system32\ccccf.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\ccccf.bak2
C:\WINNT\system32\ccccf.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\ssvyb.bak1
C:\WINNT\system32\ssvyb.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\ssvyb.bak2
C:\WINNT\system32\ssvyb.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\ssvyb.ini
C:\WINNT\system32\ssvyb.ini Has been deleted!
Attempting to delete C:\WINNT\system32\ssvyb.ini2
C:\WINNT\system32\ssvyb.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 11:50:34 PM, on 4/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\DASTAR\EZTIME~1\EZTimeSync.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Terminator\Quick TV\Scheduled.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Desktop\Spyware Apps\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - (no file)
O2 - BHO: (no name) - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelligentStick] c:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe sys_auto_run C:\Program Files\Intelligent Stick Manager 2 Tools2.7
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EZTimeSync] C:\PROGRA~1\DASTAR\EZTIME~1\EZTimeSync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Quick TV Agent] C:\Program Files\Terminator\Quick TV\Scheduled.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
Thanks again !!!!
You have Windows Defender and SpyBots TeaTimer, which are blockling those entries from being removed. Do the following to disable them:
Windows Defender
1) Open Windows Defender.
2) Click on Tools > General Settings.
3) Scroll Down and Uncheck Turn on real-time Protection (recommended).
4) After you uncheck these, click on the Save button and close Windows Defender.
5) Right click on the Windows Defender icon on the taskbar and select Shutdown Windows Defender.
SpyBots TeaTimer
1) Run Spybot Search & Destroy
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Exit SpyBot
================================================================
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - (no file)
O2 - BHO: (no name) - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - (no file)
- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked
================================================================
Reboot your PC and enable Windows Defender and Spybot TeaTimer again!
Do you know what this is?
c:\program files\intelligent stick manager 2 tools2.7\intelligentstick2.exe