Author Topic: Help to get rid of crap slowing down my machine. (Read 1974 times)

tmirelle · « **on:** October 18, 2005, 01:27:43 PM »

Hi all,

I met one of you a few weeks back at Brewsky's.

Was told to set up here to get some help.

What should I do to clean up my machine, and what (hopefully free) software should I install to keep this stuff from getting on my machine?

Thanks for your help, 'cause I am going nuts!!

guestolo · « **Reply #1 on:** October 19, 2005, 12:02:45 AM »

Howdy tmirelle
How you doing!
Brewsky's, I think you mean Bleu Coyotes

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Can you post a hijackthis log please

It's quite safe,
Here's the instructions, I usually ask that you register to the forum
It's free and simple
Use any user name you feel comfortable with
Afterwards, come back here and post the Hijackthis log into this thread

Here's the instructions,
Download Hijackthis.exe from my signature below
Save it too a permanent folder on your drive

Run Hijackthis.exe
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Take a look at this link

I'll try and look at it first chance I get.....

tmirelle · « **Reply #2 on:** October 19, 2005, 01:39:40 AM »

Thanks!

Here is the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:48 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\tacqjpdp.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\system32\Yreguu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [bOl2] C:\WINDOWS\tacqjpdp.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Gyothw.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Yreguu.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

guestolo · « **Reply #3 on:** October 19, 2005, 07:21:01 PM »

I'm going to ask you to run a few free tools on your computer
You can hang onto all of these
All scan's don't take that long, except for Ewido may take a half hour or so

Let's get started, can you first do the following

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit
Alternate download location if having trouble with the first link

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, IF you get a warning "Database could not be found!". Click OK. We'll fix that next
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

If you don't have the latest versions of the below software
Uninstall your versions from add/remove programs and then

Download and Install Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When installing, Ad-Aware may prompt to update, allow it but don't run a scan yet

Download and Install Spybot 1.4 from
HERE
or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Don't run a scan yet
Note: When updating if you get bad checksum error
Do another search for updates and try another download location from the drop down menu

Ensure the above software is installed and all up to date
Please Print this out or save these instructions to a Notepad file and save it to your Desktop for reference

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [bOl2] C:\WINDOWS\tacqjpdp.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Gyothw.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Yreguu.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Access your Add/Remove programs and remove if found
MS Updates
MS AUpdate
IstSvc
ISTbar
Internet Optimizer

Finally, if you didn't get convinced into paying for SpyHunter
Remove it also, Although it's no longer on the rogue list, I still have trouble trusting it's effectiveness
Here's a quote from a trusted site that reviews SpywareRemoval tools

Quote

SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize

RESTART your Computer in SAFE MODE without Networking
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode, do the following

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer
Please restart back to safe mode

Back in safe mode
Open Spybot 1.4
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

Restart back to Normal mode

Back in Windows
Please run hijackthis again and supply a fresh log
Also include the full report from Ewidos

tmirelle · « **Reply #4 on:** October 20, 2005, 12:59:59 PM »

OK,

Performed all the actions you listed.

New Hijack this Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:51:11 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\Tanya Vaughan\My Documents\HJK\hijackthis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Ewidos log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         9:25:14 AM, 10/20/2005
+ Report-Checksum:      4B96F22D

+ Scan result:

   HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID\\ -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1\CLSID\\ -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001} -> Spyware.SafeSurfing : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}\TypeLib\\ -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}\TypeLib\\ -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}\TypeLib\\ -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB} -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\dealhelper -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\dealhelper\KeyWord -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\SideFind -> Spyware.SideFind : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dealhelper -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\IST -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-2000478354-789336058-839522115-1004\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\HJK\backups\backup-20051019-233658-136.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\AdobePhotoshop Total Training Video Workshop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\Advanced PDF Password Recover.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\Advanced PDF Password Recovery 2.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\TopStyle Pro v3.0 RC2 crack\crackmasters.exe/loadadv458.exe -> TrojanDownloader.Small.brk : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\TopStyle Pro v3.0 RC2 crack\crackmasters.exe/loadadv458.exe -> TrojanDownloader.Small.brk : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\TopStyle Pro v3.0 RC2 crack.zip/crackmasters.exe/loadadv458.exe -> TrojanDownloader.Small.brk : Cleaned with backup
   C:\Documents and Settings\Tanya Vaughan\My Documents\My Downloads\TopStyle Pro v3.0 RC2 crack.zip/crackmasters.exe/loadadv458.exe -> TrojanDownloader.Small.brk : Cleaned with backup
   C:\Program Files\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
   C:\Program Files\Internet Optimizer\optimize.exe -> Spyware.InternetOptimizer : Cleaned with backup
   C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind : Cleaned with backup
   C:\WINDOWS\system32\dun.exe -> Spyware.DealHelper : Cleaned with backup
   C:\WINDOWS\system32\Gyothw.exe -> Spyware.DealHelper : Cleaned with backup
   C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper : Cleaned with backup

::Report End

guestolo · « **Reply #5 on:** October 20, 2005, 10:02:16 PM »

That looks better, can you look for the following please

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete the following files and folders if they exist

C:\WINDOWS\system32\Yreguu.exe <-this file
C:\WINDOWS\system32\qlink32.dl <-file
C:\WINDOWS\tacqjpdp.exe <-file
C:\WINDOWS\nem220.dll <-file

C:\Program Files\Enigma Software Group <-folder
C:\Program Files\ISTsvc <-folder

Go back and hide hidden files and folders
I would leave
"Hide Extensions for known file types"
Unchecked

I don't usually recommend what to fix on startup if it's legit
But, if you would like to trim down your startup items

All the below are not needed on startup and can increase your startup time and system resources if you disable them
Programs work fine without them
The below are legitimate but unneeded

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

You can disable the above with Hijackthis or msconfig
I prefer to use Codestuff's Starter
Click the Starter link at the top of the page
It's a small download that you unzip to a folder
Very efficient and practical, take a look at it

Restart your computer after disabling what you don't need on startup
You can use the following links to see what you really need running on startup
Of course, you must keep your firewall and AV running
The rest is user preference, don't let a program push it on you
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.sysinfo.org/startuplist.php?off...&count=&filter=
You don't need utimate troubleshooter, codestuff's starter is free

Finally, If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2

Also, open Spybot 1.4
Click on the immunize button>>Click OK>>Click Immunize again at the top menu bar
Do this after every update

Let me know how everything's running

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

nunya53 · « **Reply #6 on:** October 24, 2005, 08:39:36 PM »

First, let me say hello...I'm new.

I had a problem last week and followed this tutorial to a "T". Although it was written for someone elses problem, I did have many of the same programs on my computer as tmirelle and I was successful at cleaning them off. I do, however, still have one annoying bit of spyware on my computer. If I go to my university's website, I get "student" type pop-ups and if I to a map website such as yahoo or google maps, I get travel related pop-ups, and so on...not many, just one or two but I want them GONE!

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:40 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\tunebite\tunebite.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Any help would be greatly appreciated.

Thanks,

Jerry

tmirelle · « **Reply #7 on:** October 24, 2005, 11:14:56 PM »

Me again,

Performed all of the actions listed, but something weird has happened.

the appearance of my windows and buttons seems to have reverted to Win 98 style, and the XP option is no longer there.

Any suggestions?

Thanks

T

guestolo · « **Reply #8 on:** October 24, 2005, 11:24:10 PM »

Hi again, this problem has happened before

Can you do the following please

Try this
Can you right click an empty spot on the desktop
Left click properties

Under the appearance tab
Select Windows XP style under Windows and buttons

If that doesn't work

Can you do a SEARCH on your computer for

Luna.msstyles

Make sure you type that in properly or copy and paste it
Also in Search under the Advanced options ensure the top 3 entries are selected which includes Search Hidden Files and folders

If Luna.msstyles is found
Let me know the exact location and size

Additionally, Download find.zip
and UNZIP the contents too desktop

Double click on Find.bat and post the contents
Do the Same with Find1.bat

tmirelle · « **Reply #9 on:** October 25, 2005, 11:33:41 AM »

Didn't find Luna.msstyles

but did a second search just for Luna and found a folder called

C:\WINDOWS\Resources\Themes\Luna - 1.03 MB
C:\WINDOWS\Resources\Themes\Luna.theme - 2kb
C:\WINDOWS\system32\dllcache\luna.mst - 3.99 MB

Here are the other results that you asked for...

find bat:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

find1 bat:

Volume in drive C has no label.
Volume Serial Number is FC38-1911

Directory of C:\WINDOWS\Resources\Themes

09/28/2005 09:59 AM <DIR> .
09/28/2005 09:59 AM <DIR> ..
10/19/2005 11:47 PM <DIR> Luna
08/04/2004 05:00 AM 1,222 Luna.theme
08/04/2004 05:00 AM 3,025 Windows Classic.theme
2 File(s) 4,247 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna

10/19/2005 11:47 PM <DIR> .
10/19/2005 11:47 PM <DIR> ..
09/28/2005 09:57 AM <DIR> Shell
0 File(s) 0 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell

09/28/2005 09:57 AM <DIR> .
09/28/2005 09:57 AM <DIR> ..
09/28/2005 09:58 AM <DIR> Homestead
09/28/2005 09:59 AM <DIR> Metallic
09/28/2005 09:57 AM <DIR> NormalColor
0 File(s) 0 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

09/28/2005 09:58 AM <DIR> .
09/28/2005 09:58 AM <DIR> ..
08/04/2004 05:00 AM 362,496 shellstyle.dll
1 File(s) 362,496 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

09/28/2005 09:59 AM <DIR> .
09/28/2005 09:59 AM <DIR> ..
08/04/2004 05:00 AM 362,496 shellstyle.dll
1 File(s) 362,496 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

09/28/2005 09:57 AM <DIR> .
09/28/2005 09:57 AM <DIR> ..
08/04/2004 05:00 AM 361,472 shellstyle.dll
1 File(s) 361,472 bytes

Total Files Listed:
5 File(s) 1,090,711 bytes
17 Dir(s) 17,874,575,360 bytes free

tmirelle · « **Reply #10 on:** October 25, 2005, 11:34:35 AM »

Didn't find Luna.msstyles

but did a second search just for Luna and found:

C:\WINDOWS\Resources\Themes\Luna - 1.03 MB
C:\WINDOWS\Resources\Themes\Luna.theme - 2kb
C:\WINDOWS\system32\dllcache\luna.mst - 3.99 MB

Here are the other results that you asked for...

find bat:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

find1 bat:

Volume in drive C has no label.
Volume Serial Number is FC38-1911

Directory of C:\WINDOWS\Resources\Themes

09/28/2005 09:59 AM <DIR> .
09/28/2005 09:59 AM <DIR> ..
10/19/2005 11:47 PM <DIR> Luna
08/04/2004 05:00 AM 1,222 Luna.theme
08/04/2004 05:00 AM 3,025 Windows Classic.theme
2 File(s) 4,247 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna

10/19/2005 11:47 PM <DIR> .
10/19/2005 11:47 PM <DIR> ..
09/28/2005 09:57 AM <DIR> Shell
0 File(s) 0 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell

09/28/2005 09:57 AM <DIR> .
09/28/2005 09:57 AM <DIR> ..
09/28/2005 09:58 AM <DIR> Homestead
09/28/2005 09:59 AM <DIR> Metallic
09/28/2005 09:57 AM <DIR> NormalColor
0 File(s) 0 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

09/28/2005 09:58 AM <DIR> .
09/28/2005 09:58 AM <DIR> ..
08/04/2004 05:00 AM 362,496 shellstyle.dll
1 File(s) 362,496 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

09/28/2005 09:59 AM <DIR> .
09/28/2005 09:59 AM <DIR> ..
08/04/2004 05:00 AM 362,496 shellstyle.dll
1 File(s) 362,496 bytes

Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

09/28/2005 09:57 AM <DIR> .
09/28/2005 09:57 AM <DIR> ..
08/04/2004 05:00 AM 361,472 shellstyle.dll
1 File(s) 361,472 bytes

Total Files Listed:
5 File(s) 1,090,711 bytes
17 Dir(s) 17,874,575,360 bytes free

guestolo · « **Reply #11 on:** October 25, 2005, 07:40:43 PM »

You and I are both running the English version of XP with SP2
I'm uploading a file below called Luna.zip, can you save it to your desktop please, don't unzip it yet

Download and Unzip to desktop
Fix.zip, so you now have Fix.reg on the desktop

Double click on Fix.reg and allow to add or merge to the registry

Restart your computer
Back in Windows

UNZIP Luna.zip only to the following folder
C:\WINDOWS\Resources\Themes\Luna <-this folder
So you now have luna.msstyle extracted to the Luna folder

Now open your Display Properties and see if you can change to Windows XP Under the Themes and Appearance tabs

Let me know how things are running

tmirelle · « **Reply #12 on:** October 25, 2005, 09:40:05 PM »

Worked like a dream!!!

Thanks!

Definitely owe you a beer... or two!

T

Know anything about DVD Burners & Roxio?

I used Roxio Easy Media Creator 7

I backed up all my files to DVD prior to reformatting my hard drive.

I can see everything on the dvd, all the files and folders, but when I try to open anything (even by copying it back to my HD first) it says that the file is not recognized.

All the files have size... http://www3.telus.net/tmirelle/screen2.html

Paid for isobuster, and canonly get some of the files of but with no names and no directory structure... AAARGH!

(Tried a Roxio discussion group & got nowhere there).

guestolo · « **Reply #13 on:** October 25, 2005, 09:48:03 PM »

I'll look into it for you, I have to step out for a bit, but I'll get back

One note:
Did you disable this item with Codestuff starter?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

Just asking, not that it has anything to do with your problem

Here's what it's related too

Code: [Select]

Optionally installed with some DVD drives (LG, Panasonic, etc). Disables Windows XP's CD-burning abilities because they cause some incompatibilities. It does not affect your ability to burn CDs. If you do not have this program running, you may have some compatibility issues with burnt DVDs

But it is not always required to be running

If this started after you disable that item, please go back to Starter and reenable it

tmirelle · « **Reply #14 on:** October 25, 2005, 10:06:36 PM »

Thanks, I'll give it a try...

FYI I did this before we started doing anything, so I don't think it would be related to disabling a startup item.

T

guestolo · « **Reply #15 on:** October 25, 2005, 10:21:25 PM »

Hey T, I've got an idea, I've pm'ed you, just want to try something

I'll check back later

Guest_Chris_* · « **Reply #16 on:** October 29, 2005, 03:39:12 PM »

hey i got that loadadv458 on my desktop

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> and heres the log file.

Logfile of HijackThis v1.99.1
Scan saved at 4:40:06 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\VERIZO~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Common Files\AOL\1126043299\ee\AOLSoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Verizon Online\Verizon Online Support Center\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\My Documents\hijackthis.exe
C:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.Email Removed/s/search?r=minisearch\' target=\'_blank\' rel=\'nofollow\'>http://my.Email Removed/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FFDA4F6F-2EA3-4942-9420-E42880965A3A} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126043299\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - Startup: LyricsAMP Auto-Update!.lnk = C:\Program Files\Windows Media Player\Plugins\LyricsAMP\WiseUpdt.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\Verizon Online Support Center\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120425676011
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126810707781
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Guest_Chris_* · « **Reply #17 on:** October 29, 2005, 03:46:14 PM »

oh and also somehow it got to my k drive i just reformated it yesterday and now its the onyl thing on there so now its on my desktop and my k drive. help please.

csp312 · « **Reply #18 on:** October 29, 2005, 03:48:57 PM »

oh heres my regestred name sorry

News:

Author Topic: Help to get rid of crap slowing down my machine. (Read 1974 times)

tmirelle

Guest_Chris_*

Guest_Chris_*