Jump to content
Sign in to follow this  
JOE-J

Adware/Startpage.GX,Spyware/SurfSideKick

Recommended Posts

I just ran all the others. Nothing showed up in two of them, but the "Yun" one had several and I deleted all of them. Where do we go from here? I ran a registry clean up and then went and ran the Panda, but it still showed. I will reboot and try it again. :unsure:

Edited by JOE-J

Share this post


Link to post
Share on other sites

Is it at all possible that panda is showing a false positive? I know I'm not qualified to put forth such observations but I was only thinking that if panda is the only scanner showing this, then maybe its a false positive.

 

I don't know what is considered "interference" but maybe Joe should contact panda with this info?

 

Also, may I suggest the trend online scan which scans for virus and spyware???

 

 

Sorry if I overstepped my bounds once again.

 

Joe, I am not a "trusted hijack this advisor". This advice is not directed at you. I am simply asking a "trusted hijack this advisor" and hopefully they will tell you whether my advice is sound or not.

 

Sincerely

Steve

Share this post


Link to post
Share on other sites

Steve:

Thank you much for your input. I am trying all the things, that are suggested. I did show on the Panda that I had the surfsidekick, and then it didn't show, but I was reading another post, and just ran the Spy doctor and found it there. removed again, also below is the log on that one. I did go back to Panda, and the startpage is still there. :beer:

 

Spyware Doctor Activity Report

Generated on 6/11/2005 2:41:47 PM Spyware Doctor Homepage PC Tools Homepage Technical Support

 

 

Scans (basic information only):

 

Scan Results:

scan start: 6/11/2005 2:42:00 PM

scan stop: 6/11/2005 2:54:57 PM

scanned items: 64079

found items: 8

found and ignored: 0

tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

 

 

 

Infection Name Location Risk

Common Components for GAIN joe@belnk[1].txt Medium

Advertising joe@com[1].txt Low

Common Components for GAIN joe@dist.belnk[2].txt Medium

CrackSpider C:\Documents and Settings\JOE\Favorites\Freeman CrackLinks Medium

CrackSpider C:\Documents and Settings\JOE\Favorites\Freeman CrackLinks\!!! CrackPortal.com - Cracks, serial numbers.....url Medium

CrackSpider C:\Documents and Settings\JOE\Favorites\Freeman CrackLinks\NeedCrack.us - Cracks search engine.url Medium

CrackSpider C:\Documents and Settings\JOE\Favorites\Freeman CrackLinks\TheCrack.us - Cracks arhive.url Medium

SurfSideKick C:\Documents and Settings\JOE\Local Settings\Temporary Internet Files\Ssk.log Elevated

 

 

Other Sections:

 

 

 

 

 

 

 

 

Copyright ? 2003-2005. Distributed by PC Tools. Legal Notice

 

 

 

sigs

 

 

 

Click to go back

Share this post


Link to post
Share on other sites

The best tool for scanning the system for malware is mwavscan.

It won't fix anything (unless you buy it) but it will give us a report.

If you want, run it. Keep in mind it will take awhile to run

 

 

Click here http://www.mwti.net/download/tools/mwav.exe to download mwavscan.

Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane.

Highlight it, CTRL C and paste it in your next reply.

It's going to take a while to scan and if you get a pop-up to buy the program, just X it out.

Share this post


Link to post
Share on other sites

Joe,

 

Although we know crookedwilly is only trying to help, the forum rules strictly state NOT to post suggestions in this topic area unless properly trained in malware removal. Therefore, he has been warned against further posting in the HijackThis Logs forum.

 

noahdfear

Edited by noahdfear

Share this post


Link to post
Share on other sites

I told him to disregard all of my advice. Please remove your words that are posted with my name. Do that, and I will visit this forum no more.

 

Steve

 

 

Steve,

 

I will do no such thing. You are welcome in this forum, and if you have experience/training in malware removal, please give us links so we can verify, then if the moderators agree, you can be added to the list of Trusted Advisors.

It wasn't the fact you told him to disregard your posts that caused me to edit your last one, it was the way in which you did so.

 

Please observe posting rules if you wish to remain a member of the PCPitstop forums!

 

noahdfear

Edited by noahdfear

Share this post


Link to post
Share on other sites

crookedwilly

 

I'v never banned anyone for offering some advice on the pitstop...

 

 

Your coming very close to being my first...this is a no man's land here...if you don't have the training then stay the hell off this section of the forums...were not going to allow you to wreck someones machine here...

 

 

You have any questions on this...don't post them here...PM me.

Share this post


Link to post
Share on other sites

Thats understood and I will post no more advice.

 

But, if you can honestly say that anything I said could wreck someones computer than I don't know what to think.

 

I'm trying to be polite. I didn't read the rules and screwed up. Please except my apology. There is no need for me to be spoken to in the manner that you people are speaking to me. I don't even talk to my dog like that.

 

As I said already, I will no longer post anything in this forum.

 

Steve

Share this post


Link to post
Share on other sites

Thats understood and I will post no more advice.

 

But, if you can honestly say that anything I said could wreck someones computer than I don't know what to think.

 

I'm trying to be polite. I didn't read the rules and screwed up. Please except my apology. There is no need for me to be spoken to in the manner that you people are speaking to me. I don't even talk to my dog like that.

 

As I said already, I will no longer post anything in this forum.

 

Steve

Thank you Steve...its important that folks know what can happen with faulty advice..even well meant advice can make a machine no longer bootable or able to connect to the internet....

 

Sorry If we came off as harsh...but we have to make sure folks know whats good advice and what may be questionable advice...

Share this post


Link to post
Share on other sites

when it is completed, anything found will be displayed in the lower pane.

Highlight it, CTRL C and paste it in your next reply

.

 

Did you save the file names and location? You should have seen a list of files and locations.

Share this post


Link to post
Share on other sites

Hi Joe!

 

Unfortunately, that log doesn't show us what it found, only how many. :mrsgreen:

 

I have to ask that you run MWAV again, this time with the instructions below. Sorry, I know it takes a long time. :shrug:

 

Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower pane of the scanning window labled Virus Log Information and post it here.

Share this post


Link to post
Share on other sites

:lol::woot: O'K here is the complete log from the scan. I am not sure who is helping anymore, but it doesn't make any difference, as long as I get good help.

 

I think it will take as long to read and understand it all, as it took to get the scan, but lets hope that it will give us some information. I did see some entries on there that I had taken off and some last Nov. when JAYCEE, helped to clean up. I never put it back on, so some of the stuff gets taken off, but leaves residue on other places that we can't even find or the name changes in some cases.

 

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\installer_VENDARE4.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\system32\pcpbios.exe". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.

Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.

Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.

Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Entry "HKCR\IncrediAnimation.AnimationPlayer" refers to invalid object "{B5534644-E461-11D3-BBB2-0050DA276194}". Action Taken: No Action Taken.

Entry "HKCR\IncrediAnimation.AnimationPlayer.1" refers to invalid object "{B5534644-E461-11D3-BBB2-0050DA276194}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.AppSync" refers to invalid object "{A7256361-EC20-4E5B-B824-A692515700BD}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.AppSync.1" refers to invalid object "{A7256361-EC20-4E5B-B824-A692515700BD}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.ComFactory" refers to invalid object "{EEBF0065-B9C2-44ef-9E34-0E51BE01937F}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.ComFactory.1" refers to invalid object "{EEBF0065-B9C2-44ef-9E34-0E51BE01937F}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.Connection" refers to invalid object "{77969C47-EBE5-486F-8730-F48B84284D88}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.Connection.1" refers to invalid object "{77969C47-EBE5-486F-8730-F48B84284D88}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.XmlParser" refers to invalid object "{6D587C7F-27A0-4416-A90D-FB337F9B406C}". Action Taken: No Action Taken.

Entry "HKCR\IncrediComUtils.XmlParser.1" refers to invalid object "{6D587C7F-27A0-4416-A90D-FB337F9B406C}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.CommonSettings" refers to invalid object "{CBF9925D-3C19-4F33-9DE4-446978645EBB}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.CommonSettings.1" refers to invalid object "{CBF9925D-3C19-4F33-9DE4-446978645EBB}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.IMMessage" refers to invalid object "{07D03588-7B5E-11D5-8784-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.IMMessage.1" refers to invalid object "{07D03588-7B5E-11D5-8784-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.LicenceManager" refers to invalid object "{5862A1C2-7676-45AA-8C7D-2F803754D007}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.LicenceManager.1" refers to invalid object "{5862A1C2-7676-45AA-8C7D-2F803754D007}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.MultiSignature" refers to invalid object "{328CC455-1F5E-4F1A-A6B7-A888AA9C0289}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.MultiSignature.1" refers to invalid object "{328CC455-1F5E-4F1A-A6B7-A888AA9C0289}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.ProfileManager" refers to invalid object "{96D04D6A-7B1E-48A9-BEA6-99F9FE8341C7}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.ProfileManager.1" refers to invalid object "{96D04D6A-7B1E-48A9-BEA6-99F9FE8341C7}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.Signature" refers to invalid object "{DA12A268-0ACB-11D4-859D-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.Signature.1" refers to invalid object "{DA12A268-0ACB-11D4-859D-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.Sound" refers to invalid object "{0710C793-2117-11D5-B75D-005004C0C6BA}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.Sound.1" refers to invalid object "{0710C793-2117-11D5-B75D-005004C0C6BA}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.Spelling" refers to invalid object "{84566316-EC70-11D5-881D-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.Spelling.1" refers to invalid object "{84566316-EC70-11D5-881D-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.StyleBox" refers to invalid object "{C7681ACB-27AD-4025-8F53-643549159658}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.StyleBox.1" refers to invalid object "{C7681ACB-27AD-4025-8F53-643549159658}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.TypeMessageTAF" refers to invalid object "{FEBD6230-F4F6-4E79-89CD-4BEBDC4A96AE}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.TypeMessageTAF.1" refers to invalid object "{FEBD6230-F4F6-4E79-89CD-4BEBDC4A96AE}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.TypeMessageVIP" refers to invalid object "{47B10849-77FA-463b-8973-10241FF9DB37}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.TypeMessageVIP.1" refers to invalid object "{47B10849-77FA-463b-8973-10241FF9DB37}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.WebViewer" refers to invalid object "{4EAA7268-FC1E-47C6-87EF-8915475CBC88}". Action Taken: No Action Taken.

Entry "HKCR\IncrediFeatures.WebViewer.1" refers to invalid object "{4EAA7268-FC1E-47C6-87EF-8915475CBC88}". Action Taken: No Action Taken.

Entry "HKCR\IncrediMail.Kernel" refers to invalid object "{E9BC70A8-D70C-11D3-BBAE-0050DA276194}". Action Taken: No Action Taken.

Entry "HKCR\IncrediMail.Kernel.1" refers to invalid object "{E9BC70A8-D70C-11D3-BBAE-0050DA276194}". Action Taken: No Action Taken.

Entry "HKCR\IncrediNotify.NotifierManager" refers to invalid object "{B385A628-C100-11D3-BB95-0050DA276194}". Action Taken: No Action Taken.

Entry "HKCR\IncrediNotify.NotifierManager.1" refers to invalid object "{B385A628-C100-11D3-BB95-0050DA276194}". Action Taken: No Action Taken.

Entry "HKCR\IncrediService.RegInfo" refers to invalid object "{F648D80F-2409-4EDA-847D-8E820B03451F}". Action Taken: No Action Taken.

Entry "HKCR\IncrediService.RegInfo.1" refers to invalid object "{F648D80F-2409-4EDA-847D-8E820B03451F}". Action Taken: No Action Taken.

Entry "HKCR\IncrediService.Registration" refers to invalid object "{C0CF353A-F029-11D3-857F-005004BE235E}". Action Taken: No Action Taken.

Entry "HKCR\IncrediService.Registration.1" refers to invalid object "{C0CF353A-F029-11D3-857F-005004BE235E}". Action Taken: No Action Taken.

Entry "HKCR\IncrediService.Service" refers to invalid object "{55B613D4-E613-11D3-857A-005004BE235E}". Action Taken: No Action Taken.

Entry "HKCR\IncrediService.Service.1" refers to invalid object "{55B613D4-E613-11D3-857A-005004BE235E}". Action Taken: No Action Taken.

Entry "HKCR\IncrediShellExt.IMMenuShellExt" refers to invalid object "{F8984111-38B6-11D5-8725-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediShellExt.IMMenuShellExt.1" refers to invalid object "{F8984111-38B6-11D5-8725-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediTools.Magic" refers to invalid object "{B84092B9-8658-11D5-8793-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediTools.Magic.1" refers to invalid object "{B84092B9-8658-11D5-8793-0050DA2761C4}". Action Taken: No Action Taken.

Entry "HKCR\IncrediTools.SoundManager" refers to invalid object "{0B9A0840-1EC3-11D5-B75C-005004C0C6BA}". Action Taken: No Action Taken.

Entry "HKCR\IncrediTools.SoundManager.1" refers to invalid object "{0B9A0840-1EC3-11D5-B75C-005004C0C6BA}". Action Taken: No Action Taken.

Entry "HKCR\IncrediTools.ThumbnailCreator" refers to invalid object "{140BBD3E-C68E-4077-B7EC-D4DC46242EF5}". Action Taken: No Action Taken.

Entry "HKCR\IncrediTools.ThumbnailCreator.1" refers to invalid object "{140BBD3E-C68E-4077-B7EC-D4DC46242EF5}". Action Taken: No Action Taken.

Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Entry "HKCR\MiniBugTransporter.MiniBugTransporterX" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.

Entry "HKCR\MiniBugTransporter.MiniBugTransporterX.1" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\PropertyAttribute" refers to invalid object "{FD2280A8-51A4-11D2-A601-3078302C2030}". Action Taken: No Action Taken.

Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.

Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.

Entry "HKCR\RTCIMSP.RTCIMService" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.

Entry "HKCR\RTCIMSP.RTCIMService.1" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.

Entry "HKCR\rtvideo.AOLVideoCtl" refers to invalid object "{BE265956-6F5F-4790-9CAB-EDFAC64362EF}". Action Taken: No Action Taken.

Entry "HKCR\rtvideo.AOLVideoCtl.1" refers to invalid object "{BE265956-6F5F-4790-9CAB-EDFAC64362EF}". Action Taken: No Action Taken.

Entry "HKCR\Sb.SuperBuddy" refers to invalid object "{189504B8-50D1-4AA8-B4D6-95C8F58A6414}". Action Taken: No Action Taken.

Entry "HKCR\Sb.SuperBuddy.1" refers to invalid object "{189504B8-50D1-4AA8-B4D6-95C8F58A6414}". Action Taken: No Action Taken.

Entry "HKCR\Sb.SuperBuddyData" refers to invalid object "{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}". Action Taken: No Action Taken.

Entry "HKCR\Sb.SuperBuddyData.1" refers to invalid object "{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}". Action Taken: No Action Taken.

Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.

Entry "HKCR\VCDLayout.Document" refers to invalid object "{01668F03-0AC4-11CF-AB99-00C0F00683EB}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.

Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.

Entry "HKCR\Yahoo.CpnPopupBlockerUI.1" refers to invalid object "{FA6B091D-0CE2-4EDD-806D-A34306045456}". Action Taken: No Action Taken.

Entry "HKCR\Yahoo.MessengerCompanionControl.3" refers to invalid object "{977046B0-A87F-11d5-8FEA-FFFFFF000000}". Action Taken: No Action Taken.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Documents and Settings\All Users\Documents\My Received Files\Good Picture.exe tagged as not-a-virus:Joke.Win32.Oups. No Action Taken.

File C:\Program Files\2nd Story Software\TaxACT 2000\Unst00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\2nd Story Software\TaxACT 2000\Unta00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Real\RealPlayer\~Upg28\vtuner.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\My Documents\My Received Files\Good Picture.exe tagged as not-a-virus:Joke.Win32.Oups. No Action Taken.

File D:\Download Files\ta00dxdw.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\Download Files\ta00wi.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File E:\Download Files\2nd Story Software\TaxACT 2000\Unst00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File E:\Download Files\2nd Story Software\TaxACT 2000\Unta00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File E:\Download Files\ta00dxdw.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File E:\Download Files\ta00wi.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

 

Please advise what you all think after you get your heads together. If there is to be just one spokesman for the topic, please get together how ever you do it and come up with the right answer. Thanks for all that you guys have done. I know that it is not a complete loss, as I did get some fragments of other programs off that I didn't know were on, as they would not show on the searching anywhere. :beer: :cheers::cheers:

Share this post


Link to post
Share on other sites

LDTate is handling your cleanup, so please wait for his instructions. Advisors do sometimes discuss various topics/solutions, but I only poked in with more detailed instructions to help get the information he required. You're in good hands. Hang in there! ;)

Share this post


Link to post
Share on other sites

Go Here and submit Good Picture.exe for scanning.

D:\My Documents\My Received Files\Good Picture.exe

 

 

I recommend you download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. When done, scan again with MWAV and post a new log.

Edited by LDTate

Share this post


Link to post
Share on other sites

FIRST OF ALL I THANK YOU FOR YOUR TIME. YOU HAVE GIVEN ME A LOT OF INFORMATION AND PROGRAMS THAT I DIDN'T KNOW WERE THERE. THE REGISTRY PROGRAM IS THE BEST I HAVE SEEN AND USED. I KNOW THAT IT HAS TAKEN ME SOME TIME TO DO ALL OF YOUR SUGGESTIONS, BUT WHILE I WENT THROUGH SOME, I WAS ABLE TO GET RID OF SOME OF THE PROGRAMS THAT I NO LONGER NEEDED & SOME OF THE FRAGMENTS OF SOME OF THE PROGRAMS THAT I HAD DELETED AND UNINSTALLED. THE PROGRAMS CAUGHT THEM. ON THE LOG, I DID GET RID OF THE TAXACT SOFTWARE, THAT WAS FORGOTTEN, BUT DIDN'T TAKE THE EXTRA HOURS TO RERUN THE PROGRAM.

THE GOOD PICTURE IS A JOKE AND I HAVE HAD IT ON FOR SEVERAL YEARS, SO I KNOW (AND I SCANNED IT AGAIN) IT HAS NO VIRUSES OR ADDWARE/SPYWARE. I DID GET THE RESULTS DOWN AND THAT IS WHERE I SIT NOW. PANDA STILL SHOWS THE STARTPAGE.GX AS BEING ON. SYSTEM RESTORE IS CLEANED, AND THE COMPRESSED FILES ON THE DISK CLEANUP IS CLEAR. RESET TO 125 DAYS. I HAVE LEARNED ALOT, BUT STILL NEED THE HELP OR SUGGESTIONS TO RID THE PROGRAM FROM PANDA. IT MAY BE IN ONE OF THE FILES THAT SHOWS ON THE LOG, BUT DON'T KNOW HOW TO FIND IT. :wub:

 

bject "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\installer_VENDARE4.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\system32\pcpbios.exe". Action Taken: No Action Taken.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Documents and Settings\All Users\Documents\My Received Files\Good Picture.exe tagged as not-a-virus:Joke.Win32.Oups. No Action Taken.

File C:\Program Files\Real\RealPlayer\~Upg28\vtuner.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\My Documents\My Received Files\Good Picture.exe tagged as not-a-virus:Joke.Win32.Oups. No Action Taken.

File E:\Download Files\2nd Story Software\TaxACT 2000\Unst00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File E:\Download Files\2nd Story Software\TaxACT 2000\Unta00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

 

SAME AS ABOVE, BUT WRAPPED.

 

bject "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\installer_VENDARE4.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\system32\pcpbios.exe". Action Taken: No Action Taken.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Documents and Settings\All Users\Documents\My Received Files\Good Picture.exe tagged as not-a-virus:Joke.Win32.Oups. No Action Taken.

File C:\Program Files\Real\RealPlayer\~Upg28\vtuner.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\My Documents\My Received Files\Good Picture.exe tagged as not-a-virus:Joke.Win32.Oups. No Action Taken.

File E:\Download Files\2nd Story Software\TaxACT 2000\Unst00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File E:\Download Files\2nd Story Software\TaxACT 2000\Unta00.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

 

THANK YOU VERY MUCH, I KNOW THAT EVEN IF I DON'T GET RID OF THE STARTPAGE.GX, I HAVE A MUCH CLEANER COMPUTER.

 

 

 

:cheers::cheers:

Share this post


Link to post
Share on other sites

I DID FORGET TO ADD A SUGGESTION TO YOU. THAT IS WHEN YOU ARE DOING YOU HJT STUFF, THAT BESIDES RUNNING THE SPYWARE SCANS, THAT YOU ADD THE REGISTRY SCAN TO IT. IT MAY MAKE EASIER READING. AS I SAID IT IS THE BEST ONE I HAVE USED. AND I HAVE OR HAD THREE DIFFERENT ONES ON THE COMPUTER TO RUN. :rocks:

Share this post


Link to post
Share on other sites

THAT BESIDES RUNNING THE SPYWARE SCANS, THAT YOU ADD THE REGISTRY SCAN TO IT. IT

Any time you make changes to the registry you want to be sure you know what you're doing. If that program isn't used correctly, one could kill their system.

 

Reboot and "copy/paste" a new HJT log file into this thread.

Also please describe how your computer behaves at the moment.

Share this post


Link to post
Share on other sites

Here is the HJT log. As far as the computer reacts is no different than before. Just knowing that it is cleaned up HELPS. The Startpage.GX still shows from the PANDA SCAN. That is what we started to clean up and haven't got it off, but the rest of the computer is cleaner. I do read what I take off, but I didn't know what had been left on, as I couldn't find anything with the programs I used, and not knowing what some symbols meant, I didn't remove them.

 

Logfile of HijackThis v1.99.1

Scan saved at 5:45:09 PM, on 6/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\windows\system32\wdfmgr.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\MSN\MSNCoreFiles\msn6.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Trillian\trillian.exe

E:\My Documents\jeffsoldman\Receive\HijackThis.exe

 

F2 - REG:system.ini: UserInit=C:\windows\system32\Userinit.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://excite.com"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOE\Application Data\Mozilla\Profiles\default\ehr3m59m.slt\prefs.js)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.191.103.218:6970/tsweb/msrdp.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://pa1.fnismls.com/Paragon/Codebase/SystemChecker.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...504/mcfscan.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Share this post


Link to post
Share on other sites

:rolleyes: Well here is the log from that one. I did not run a fix. I just made a backup. I could see where that was anything that was really wrong. The other registry programs changed them, or never caught them.

 

RegistryFix Version = 3.0

 

Windows XP Professional Edition Service Pack 2

 

--------------------------------------------

 

 

 

 

 

Key : HKEY_CLASSES_ROOT\TypeLib\{56DDDEC5-8BCE-11D3-A9EA-00C04F72DAEB}\1.0\HELPDIR

 

ValueName : (Default)

 

Value : wksthemes class

 

 

 

Key : HKEY_CLASSES_ROOT\.aa

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.ai

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.asmx

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.dcr

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.dir

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.diz

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.dxr

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.fif

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.java

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.local

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.man

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.manifest

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.nsc

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.nvr

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.php3

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.plg

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.ps

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.rpm

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.sam

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.sed

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.shw

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.sol

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.sor

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.sql

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.text

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.tsv

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.wb2

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.wk4

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.wpd

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.wpg

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.x

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_CLASSES_ROOT\.zhdb

 

ValueName : PersistentHandler

 

Value :

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Broderbund Software\The Print Shop Family\The Print Shop Premier Edition\5.0

 

ValueName : $Install_FromRoot$

 

Value : f:\

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Broderbund Software\The Print Shop Family\The Print Shop PressWriter\1.5

 

ValueName : $Install_FromRoot$

 

Value : f:\

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Microsoft\IMAPI\StashInfo

 

ValueName : StashPath

 

Value : c:\windows\temp\stashimapi.bin

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C101ABE2876B8084EBEAF3C2CB64CA1B

 

ValueName : 32418F9EE1126B64A90E8365B85CFCF6

 

Value : c:\documents and settings\all users\start menu\programs\alcohol 120

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D2BB15FC0C2A75F40B58FA271AF0297C

 

ValueName : 32418F9EE1126B64A90E8365B85CFCF6

 

Value : c:\documents and settings\all users\start menu\programs\alcohol 120

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8EB0ED8D713CF045A3B8E7D9D6ED2B8

 

ValueName : 32418F9EE1126B64A90E8365B85CFCF6

 

Value : c:\documents and settings\all users\start menu\programs\alcohol 120

 

 

 

Key : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\WU

 

ValueName : CurrentCacheFile

 

Value : c:\windows\softwaredistribution\eventcache\{d09f01f0-3f4e-439a-899e-5a01c81e9132}.bin

 

 

 

Key : HKEY_CURRENT_USER\Software\2nd Story Software\TaxACT 2000\Data

 

ValueName : LAST FILE OPENED

 

Value : e:\download files\2nd story software\taxact 2000\untitled

 

 

 

Key : HKEY_CURRENT_USER\Software\2nd Story Software\TaxACT 2002\Data

 

ValueName : LAST FILE OPENED

 

Value : e:\download files\2nd story software\taxact 2002\untitled

 

 

 

Key : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*

 

ValueName : a

 

Value : c:\documents and settings\joe\desktop\scan.txt

 

 

 

Key : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*

 

ValueName : b

 

Value : c:\documents and settings\joe\desktop\scan1.txt

 

 

 

Key : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt

 

ValueName : a

 

Value : c:\documents and settings\joe\desktop\scan.txt

 

 

 

Key : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt

 

ValueName : b

 

Value : c:\documents and settings\joe\desktop\scan1.txt

 

 

 

Key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTK

 

ValueName : ImagePath

 

Value : C:\WINDOWS\system32\drivers\fide.sys

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\Readme.txt

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\Readme.txt

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\TaxAct03.exe

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\TaxAct03.exe

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\Unta03.exe

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\Unta03.exe

 

 

 

Key : C:\PROGRA~1\QUICKT~1\readme.wri

 

ValueName :

 

Value : C:\PROGRA~1\QUICKT~1\readme.wri

 

 

 

Key : C:\The Print Shop Products\The Print Shop Premier Edition 5.0\Ereg\EREG32.EXE

 

ValueName :

 

Value : C:\The Print Shop Products\The Print Shop Premier Edition 5.0\Ereg\EREG32.EXE

 

 

 

Key : C:\The Print Shop Products\The Print Shop PressWriter 1.5\Ereg\EREG32.EXE

 

ValueName :

 

Value : C:\The Print Shop Products\The Print Shop PressWriter 1.5\Ereg\EREG32.EXE

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\TaxAct03.exe

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\TaxAct03.exe

 

 

 

Key : C:\Documents and Settings\JOE\Desktop\scan.txt

 

ValueName :

 

Value : C:\Documents and Settings\JOE\Desktop\scan.txt

 

 

 

Key : C:\Documents and Settings\JOE\Desktop\scan1.txt

 

ValueName :

 

Value : C:\Documents and Settings\JOE\Desktop\scan1.txt

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\Readme.txt

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\Readme.txt

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\TaxAct03.exe

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\TaxAct03.exe

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\Wireadme.txt

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\Wireadme.txt

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\Unta03.exe

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\Unta03.exe

 

 

 

Key : E:\Program Files\2nd Story Software\TaxACT 2003\Unst03.exe

 

ValueName :

 

Value : E:\Program Files\2nd Story Software\TaxACT 2003\Unst03.exe

 

 

 

Key : C:\Program Files\Hewlett-Packard\Memories Disc\mdhelp.hlp

 

ValueName :

 

Value : C:\Program Files\Hewlett-Packard\Memories Disc\mdhelp.hlp

 

 

 

Key : C:\Program Files\Hewlett-Packard\Memories Disc\license.rtf

 

ValueName :

 

Value : C:\Program Files\Hewlett-Packard\Memories Disc\license.rtf

 

 

 

Key : C:\Program Files\Hewlett-Packard\Memories Disc\hpod.exe

 

ValueName :

 

Value : C:\Program Files\Hewlett-Packard\Memories Disc\hpod.exe

 

 

 

Key : C:\Program Files\Hewlett-Packard\Memories Disc\readme.wri

 

ValueName :

 

Value : C:\Program Files\Hewlett-Packard\Memories Disc\readme.wri

Share this post


Link to post
Share on other sites

here it is. We did run the one program you recomended and I deleted those files. That was the YUM.

 

 

Common name: Startpage.GX

 

Technical name: Adware/Startpage.GX

 

Threat level: Low

 

Alias: Trj/Startpage.GX, winsearchie32,Yun, up-search

 

Type: Spyware

 

Subtype: Adware

 

Effects: It collects information on Internet usage and the applications installed in the computer and uses it to display pop-up advertisements.

 

 

Affected platforms: Windows XP/2000/NT

 

 

First detected on: July 9, 2004

 

Detection updated on: May 12, 2005

 

In circulation? No

 

 

Brief Description

 

Startpage.GX is adware.

Adware is a license form for using programs, which offers the application at the only cost of viewing a series of advertisements. However, these programs sometimes collect data on Internet usage habits, pages viewed, inventory of the applications installed in the computer, etc.

Then, this information can be sent to Internet advertising companies.

 

 

Last updated: May 12, 2005

 

 

 

 

 

 

Effects

 

Startpage.GX carries out the following actions:

 

It collects user details, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc.

It uses this information to display pop-up advertisements.

 

 

Means of transmission

 

 

 

Startpage.GX does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.

 

Further Details

 

 

Other interesting characteristics of Startpage.GX are:

 

The file that carries out the infection is 6240 bytes.

 

It is compressed with Upx.

 

I can go back and look and rerun the "YUM" thing if you want me to.???

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...