1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

problem with re-occuring WindUpdates/SpyBuddy1.9.1 ?

Discussion in 'Virus & Other Malware Removal' started by lee s, Jan 31, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Hi Guys,

    I hope you can help, I've tried to fix this myself but problem keeps coming back. I've used SpyBot S&D, Ad-Aware SE and the latest is PestPatrol.

    The item in question is located in registry key :
    15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6

    PestPatrol lists this as SpyBuddy 1.9.1
    Has it as a key logger
    Written by ExploreAnywhereSoftware

    Ad-Aware shows up the same registry key
    WindUpdates
    Malware

    Ad-Aware and PestPatrol appear to be able to remove the entry. Only problem is on re-boot it comes back. I've done a scan around the internet to no avail.

    I've posted my HiJackThis log below and fingers crossed you can help me out. Thanks in advance
    Lee

    Logfile of HijackThis v1.99.0
    Scan saved at 20:40:18, on 31/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\PESTPA~1\pestpatrol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Opera7\opera.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Documents and Settings\Lee Sinclair\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O4 - Global Startup: Kodak software updater.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Blackjack -
    O16 - DPF: Yahoo! Pool 2 -
    O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
    O16 - DPF: {0A77F16C-2B1B-4133-BA25-3572133147F5} (AccessFormX Control) - http://configurator.apcc.com/products/powerstruxure/configurator/webtest/APCACC.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
    O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} (Cincom Rich Client) -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} -
    O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} -
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} -
    O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} -
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_05) -
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
    O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
    O16 - DPF: {DDF10EBB-ADF5-4A2E-8441-3C5D0D701A3B} -
    O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} -
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?316
    O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} -
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} -
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
    O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi lee s, Welcome to TSG!! :)


    Run HJT again and put a check in the following:

    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
    O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
    O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} (Cincom Rich Client) -
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} -
    O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} -
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} -
    O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} -
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_05) -
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
    O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} -
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
    O16 - DPF: {DDF10EBB-ADF5-4A2E-8441-3C5D0D701A3B} -
    O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} -
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
    O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} -
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} -
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
    O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)

    Close all applications and browser windows before you click "fix checked".
     
  3. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Hi Cybertech,

    Ok went through carefully and did what you said. Made sure all other apps were closed when I clicked fix checked.

    After re-scanning a second time I get the following :

    Logfile of HijackThis v1.99.0
    Scan saved at 21:26:06, on 31/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Lee Sinclair\Desktop\HijackThis.exe
    C:\Program Files\Opera7\opera.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O4 - Global Startup: Kodak software updater.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Blackjack -
    O16 - DPF: Yahoo! Pool 2 -
    O16 - DPF: {0A77F16C-2B1B-4133-BA25-3572133147F5} (AccessFormX Control) - http://configurator.apcc.com/products/powerstruxure/configurator/webtest/APCACC.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?316
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


    I re-ran PestPatrol and appears to have gone away now .... that is until I rebooted and it seems to be back in the registry again.

    Here's the HJT log after I rebooted ..

    Logfile of HijackThis v1.99.0
    Scan saved at 21:31:49, on 31/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Documents and Settings\Lee Sinclair\Desktop\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O4 - Global Startup: Kodak software updater.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Blackjack -
    O16 - DPF: Yahoo! Pool 2 -
    O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
    O16 - DPF: {0A77F16C-2B1B-4133-BA25-3572133147F5} (AccessFormX Control) - http://configurator.apcc.com/products/powerstruxure/configurator/webtest/APCACC.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
    O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} -
    O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} -
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} -
    O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} -
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
    O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
    O16 - DPF: {DDF10EBB-ADF5-4A2E-8441-3C5D0D701A3B} -
    O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} -
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?316
    O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} -
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} -
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
    O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



    Any ideas ?
    Thanks in advance
    Lee
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Go to C:\WINDOWS\Downloaded Program Files, Right click on each item, go to properties and if it matches one in the list to remove delete it.

    Let me know how that works.
     
  5. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Hiya Cybertech,

    Ok - went through that, there's only a handful of programs in that directory and none of them unforunately match the list you said to mark and fix.

    Any other things that I should check for ?

    Thanks for your help so far
    Lee
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Any other users on this machine?
     
  7. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Hi Cybertech

    Nope - just myself and the family, but we don't use separate logons.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open a command prompt window, Start, Programs, Accessories, command prompt. Once in the window type the following and press enter
    cd\windows\downloaded program files
    That should put you in the directory. Next type dir and press enter.
    What does that show?
     
  9. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Now this is weird !

    If I use Windows Explorer I can see the Downloaded Program Files directory within C:\windows

    If I go to DOS prompt and go into Windows (cd \ windows) directory and type
    dir d*.
    to bring up a list of subdirectories beginning with the letter D the Downloaded Program Files directory doesn't appear !!

    I've checked the properties for this directory in Windows Explorer and it isn't a hidden directory.

    In Windows Explorer it shows the normal folder icon for this directory but unlike the rest there is a small 'Internet Explorer e' in the middle of it - don't know if this has some bearing on it.


    Anyway, within Windows Explorer the directory listing is as follows :

    Java Runtime Environment 1.4.2
    Shockwave ActiveX Control
    EPUImageControl Class
    Windows Genuine Advantage Validation Tool
    Shockwave Flash Object
    QDiagHUpdateObj Class
    YAddBook Class
    MSN Chat Control 4.5
    AccessFormX Control
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I can't see my directory using that command in dos either, but if you move to the directory you'll get there.
     
  11. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    ok managed to do it by going

    cd \windows\downlo~1

    (limitations with dos and more than 8 character file/directory names)

    here's the directory contents :

    Volume in drive C has no label.
    Volume Serial Number is 2837-3EBC

    Directory of C:\WINDOWS\DOWNLO~1

    20/01/2005 13:12 23,552 AdStatServX.dll
    21/01/2003 14:50 171,520 APCACC.OCX
    05/12/2004 09:31 <DIR> CONFLICT.1
    05/12/2004 09:32 <DIR> CONFLICT.2
    05/12/2004 09:32 <DIR> CONFLICT.3
    12/11/2004 15:01 968,272 EPUWALcontrol.dll
    04/11/2004 17:26 539 EPUWALcontrol.inf
    11/03/2004 11:35 1,271 erma.inf
    05/01/2004 09:37 468,696 GrooveAX.dll
    04/12/2003 20:08 789 HDPlugin1015.inf
    15/06/2004 15:15 315,392 Install.dll
    19/09/2003 15:58 819 kdx.inf
    08/09/2004 08:07 319,752 LegitCheckControl.DLL
    03/09/2004 09:54 493 LegitCheckControl.inf
    18/06/2003 17:01 691 McGDMgr.inf
    09/03/2004 14:08 678 mcinsctl.inf
    20/01/2000 14:25 1,162 Microsoft XML Parser for Java.osd
    18/09/2003 19:36 32,768 MsnChat40en-us.dll
    16/05/2003 16:33 278 MsnChat45.inf
    16/05/2003 16:33 457,288 MSNChat45.ocx
    17/02/2004 16:52 728 qdiagh.inf
    22/09/2003 22:23 8,408,472 QuickTimeInstallCache.qdat
    08/12/2003 12:58 3,759 swflash.inf
    20 File(s) 11,176,919 bytes
    3 Dir(s) 7,458,852,864 bytes free
     
  12. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Cybertech

    so is it the following file that could be the problem ??

    20/01/2005 13:12 23,552 AdStatServX.dll
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Yes, I would delete that file.

    Also be sure to look in those conflict.1 2 and 3 folders to see what's hiding in there.
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  15. lee s

    lee s Thread Starter

    Joined:
    Jan 31, 2005
    Messages:
    8
    Hi Cybertech,

    Not sure if you have any other ideas at this point .. I've deleted all the items in the directory and re-booted. The problem still exists on reboot - and c:\windows\downloaded program files is completely empty now.
    I've deleted the subdirectories as well - there was nothing in them anyway !

    Where else do you think it is worth looking to see how its re-installing itself back into the registry each time ?

    A bit of a stab in the dark .. but can you write protect the registry to stop items being added - hopefully causing an error message when the spy software tries to do it business and maybe revealing what it is ?

    Lee
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/325392

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice