1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Background clicks

Discussion in 'Windows XP' started by InfernoReaper, Jul 25, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    While im connected to the internet and my speakers are on, I hear background clicks and about a second after i hear them my current window gets unselected

    This ranges from once to about 3 click burst and will usually happen one right after the other
    my guess is spyware or something of the sort
     
  2. Kitch

    Kitch

    Joined:
    Mar 26, 2005
    Messages:
    1,764
    Are you running a pop-up blocker? This sounds consistent with navigation clicks when pop-ups are attempting to open.
     
  3. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    it might be but it happens all the time on this site
    the clicks nenver have a following popup though so that might be it
     
  4. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Hi, InfernoReaper. I'd like to check something out. If you would please,

    * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  5. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    Next time please just say put up a HJT log because i think everyone on this site has done it at least once and i think have 450+ posts would entitle me to some knowledge about how to use HJT

    Logfile of HijackThis v1.99.1
    Scan saved at 8:23:04 PM, on 7/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\SYSTEM32\Brmfrmps.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\AOL\1148064301\ee\AOLSoftware.exe
    C:\Program Files\WinCustomize\CursorXP.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
    C:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Zango\zango.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.musicmatch.com/download...&OEM=DELL&did=999996965&version=9.00.2053DELL
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D7765C794E2E39C3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148064301\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\WinCustomize\CursorXP.exe
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero7\NEROPH~1\data\Xtras\mssysmgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
    O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
    O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
     
  6. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
  7. kingmatt

    kingmatt

    Joined:
    Jan 14, 2003
    Messages:
    270
    Hi,
    what's this?
    http://my.netzero.net/s/search?r=minisearch
    Is it a desired program?
    and this one
    BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D7765C794E2E39C3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
    Just trying to learn to spot bad guys :)
    Matt
     
  8. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    The Netzero is an old internet service i used to use but dont want to remove in case my ADSL goes on the fritz

    Zango i believe is an off program of BearShare but i dont know how it got on because ive never used bearshare
    maybe i got it when i hooked up my comp to the network at the school:confused:
     
  9. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    It's nice to know that I'm working with someone who is familiar with HJT. That should make things easier.

    OK, the first thing is to download a few things.

    I see no antivirus program running. I can recommend a couple of good free ones:

    AVG
    avast

    Please install an antivirus program right away, but choose ONLY ONE and update it at least once a week.

    Next, please download ewido antimalware
    • Install ewido antimalware
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
    • Launch ewido, there should be a big "E" icon on your desktop, double-click it.
    • The program will prompt you to update click the "OK" button
    • The program will now go to the main screen

      You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start

      The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.


      Now, Click here to download ATF Cleaner by Atribune and save it to your desktop.
      ----------------------------------------------------------------------------

      Open up the Control Panel, find any/all of the following if present, click once to highlight, then click the "Remove/change" button to uninstall:


      • 180 search

        Anything with zango in the title

        NetZero Search Enhancements

        j2re1.4.2_03 (under Java)

      Next, open up HijackThis again, do a system scan only, and when it finishes, place a check before the following lines:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

      R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

      R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll

      O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D7765C794E2E39C3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll

      O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

      O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

      O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

      Then make sure ALL windows are closed except HijackThis and hit the "Fix checked" button.

      Now, let's set XP to show all files:

      • 1. Close all programs so that you are at your desktop.
        2. Double-click on the "My Computer" icon.
        3. Select the "Tools" menu and click "Folder Options".
        4. After the new window appears select the "View" tab.
        5. Put a checkmark in the checkbox labeled "Display the contents of system folders".
        6. Under the Hidden files and folders section select the radio button labeled "Show hidden files and folders".
        7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
        8. Remove the checkmark from the checkbox labeled "Hide protected operating system files".
        9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
        10. Now your computer is configured to show all hidden files.

      Please print out the following instructions or copy them to Notepad as you will not have internet access from Safe Mode.

      Reboot the computer into Safe Mode. Click here for instructions on how to boot into Safe Mode.

      Next, using Windows Explorer and/or search function, navigate to and delete the following folders marked in bold if they are found to exist -- delete ONLY the part in bold:

      C:\Program Files\Zango

      C:\Program Files\winupdates

      C:\Program Files\NZSearch

      Note: If you use the Search function to find the folders:
      Because XP will not always show you hidden files and folders by default,
      Go to Start > Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"



      * Run ATF Cleaner:
      • Double-click ATF-Cleaner.exe to run the program.
      • Under Main choose: Select All
      • Click the Empty Selected button.
        • If you use Firefox:
          • Click Firefox at the top and choose: Select All
          • Click the Empty Selected button.
          • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
        • If you use Opera:
          • Click Opera at the top and choose: Select All
          • Click the Empty Selected button.
            [*]NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      • Click Exit on the Main menu to close the program.


      * Run ewido.
    • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    • Click on scanner
    • Click on Settings
      • Under "How to scan" all boxes should be selected
      • Under "Possibly unwanted software" all boxes should be selected
      • Under "What to scan" select scan every file
      • Click OK
    • Click on Complete system scan
    • Let the program scan the machine
    • If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

      Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
    • Click Save report
    • Save the report to your desktop
    • Exit ewido

    Now, reboot back to Normal Mode.

    Go here and download the latest version of java.

    * Run ActiveScan online virus scan here

    When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

    Note: You have to use Internet Explorer to do the online scan.

    Run HijackThis again, save a logfile, and paste it back here along with the results from ActiveScan and the report from ewido

    Note: Fixing these NetZero entries won't remove the NZ programs, just the little search hijacks.
     
  10. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    im gonna cry
    ive already done most of this once!!!
     
  11. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 3:04:39 AM 7/31/2006

    + Scan result:



    C:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll -> Adware.180Solutions : No action taken.
    C:\WINDOWS\SYSTEM32\h20qlcd51f0.dll -> Adware.Look2Me : No action taken.
    C:\WINDOWS\SYSTEM32\hrps0577e.dll -> Adware.Look2Me : No action taken.
    C:\WINDOWS\SYSTEM32\mhcpxl32.dLL -> Adware.Look2Me : No action taken.
    C:\Documents and Settings\Zach Burkholder\Cookies\zach [email protected][2].txt -> TrackingCookie.Reliablestats : No action taken.
    C:\Documents and Settings\Zach Burkholder\Cookies\zach [email protected][1].txt -> TrackingCookie.Searchingbooth : No action taken.
    C:\Documents and Settings\Zach Burkholder\Cookies\zach [email protected][2].txt -> TrackingCookie.Statcounter : No action taken.
    C:\WINDOWS\SYSTEM32\winzdn32.dll -> Trojan.Agent.vg : No action taken.


    ::Report end

    ---------------------------------------------------------------------------
    ActiveScan

    Incident Status Location

    Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
    Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
    Adware:adware/savenow Not disinfected Windows Registry
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\svchostsys\sysid.exe
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Zach Burkholder\Cookies\zach [email protected][1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Zach Burkholder\Cookies\zach [email protected][2].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Zach Burkholder\Cookies\zach [email protected][1].txt
    Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Zach Burkholder\My Documents\Computer Services\DivXInstaller.exe[²ÜÇ\DivXConnectionTester.exe][²ÜÇ\System.dll]
    Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Zach Burkholder\My Documents\Computer Services\DivXInstaller.exe[²òÇ\Google\Firefox\ffinstaller.exe][²ÜÇ\System.dll]
    Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyGlobalSearch\bar\1.bin\M9PLUGIN.DLL
    Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL
    Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\SYSTEM32\VSL05.exe[VSL.dl_]
    Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\SYSTEM32\VSL05.exe[auxe.exe]
    Virus:Trj/Downloader.ILI Disinfected C:\WINDOWS\SYSTEM32\w4bd6a56.dll
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\WmFjaCBCdXJraG9sZGVy\qAI3uF1FxrLOu36Pt3pV.vbs
    -------------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 4:15:53 AM, on 7/31/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\SYSTEM32\Brmfrmps.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\AOL\1148064301\ee\AOLSoftware.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
    C:\Program Files\WinCustomize\CursorXP.exe
    C:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.musicmatch.com/download...&OEM=DELL&did=999996965&version=9.00.2053DELL
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148064301\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\WinCustomize\CursorXP.exe
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero7\NEROPH~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
    O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
    O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
     
  12. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
  13. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Thank you for the logs. When we finish cleaning up this time I want to recommend some programs that will help keep you from getting reinfected. Your computer is rather unprotected and vulnerable at the moment.

    Open up the Control Panel, choose "Add/Remove Programs", and remove BearShare unless it is BearShare Lite. Here is a link for reference on p2p programs:
    http://p2p.malwareremoval.com/

    Unless you really want this toolbar, I would suggest fixing this line with HijackThis:

    O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing)

    Make sure all other windows are closed before hitting "Fix checked".

    Reboot the computer into SafeMode.

    Find and delete the following files/folders marked in bold:

    C:\Program Files\BearShare

    C:\WINDOWS\SYSTEM32\h20qlcd51f0.dll

    C:\WINDOWS\SYSTEM32\hrps0577e.dll

    C:\WINDOWS\SYSTEM32\mhcpxl32.dLL

    C:\Program Files\MyGlobalSearch (if you chose to axe the toolbar)

    The reboot to Normal Mode, and try to find those files again, just to make sure they're gone.

    The HijackThis log is clean. Are you still having the problem with the "background clicks", or has that stopped?
    Any other problems?
     
  14. InfernoReaper

    InfernoReaper Thread Starter

    Joined:
    Jun 12, 2006
    Messages:
    1,321
    so far so good with no "clicks" for a while
    EDIT: The clicks still happen but not as much
    also i was not able to find any of the c:\WINDOWS\SYSTEM32\...... files on my computer

    I do have another problem:
    WinAntiVirus 2006 keeps popping up

    can you recommend how to get rid of it
    (actually it hasnt popped up so far so it might have been deleted off the system in the cleaning)
    EDIT: They are back
     
  15. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    I would like to check and see if you have a new Vundo infection that hides itself from HijackThis.

    Please rename HijackThis.exe to VundoThis.exe
    by Right Clicking on HijackThis.exe and select Rename.

    Restart the computer.

    Scan again with HJT (VundoThis) and post a new log file.

    P.S. I am glad to see an antivirus program running now. I will let you know of some other good protection programs in a bit.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Background clicks
  1. dano_61
    Replies:
    8
    Views:
    337
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/486327

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice