problem with re-occuring WindUpdates/SpyBuddy1.9.1 ?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Hi Guys,

I hope you can help, I've tried to fix this myself but problem keeps coming back. I've used SpyBot S&D, Ad-Aware SE and the latest is PestPatrol.

The item in question is located in registry key :
15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6

PestPatrol lists this as SpyBuddy 1.9.1
Has it as a key logger
Written by ExploreAnywhereSoftware

Ad-Aware shows up the same registry key
WindUpdates
Malware

Ad-Aware and PestPatrol appear to be able to remove the entry. Only problem is on re-boot it comes back. I've done a scan around the internet to no avail.

I've posted my HiJackThis log below and fingers crossed you can help me out. Thanks in advance
Lee

Logfile of HijackThis v1.99.0
Scan saved at 20:40:18, on 31/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\pestpatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Lee Sinclair\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack -
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {0A77F16C-2B1B-4133-BA25-3572133147F5} (AccessFormX Control) - http://configurator.apcc.com/products/powerstruxure/configurator/webtest/APCACC.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} (Cincom Rich Client) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} -
O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} -
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} -
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_05) -
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
O16 - DPF: {DDF10EBB-ADF5-4A2E-8441-3C5D0D701A3B} -
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?316
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} -
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} -
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi lee s, Welcome to TSG!! :)


Run HJT again and put a check in the following:

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} (Cincom Rich Client) -
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} -
O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} -
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} -
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_05) -
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
O16 - DPF: {DDF10EBB-ADF5-4A2E-8441-3C5D0D701A3B} -
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} -
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} -
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)

Close all applications and browser windows before you click "fix checked".
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Hi Cybertech,

Ok went through carefully and did what you said. Made sure all other apps were closed when I clicked fix checked.

After re-scanning a second time I get the following :

Logfile of HijackThis v1.99.0
Scan saved at 21:26:06, on 31/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Lee Sinclair\Desktop\HijackThis.exe
C:\Program Files\Opera7\opera.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack -
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {0A77F16C-2B1B-4133-BA25-3572133147F5} (AccessFormX Control) - http://configurator.apcc.com/products/powerstruxure/configurator/webtest/APCACC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?316
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


I re-ran PestPatrol and appears to have gone away now .... that is until I rebooted and it seems to be back in the registry again.

Here's the HJT log after I rebooted ..

Logfile of HijackThis v1.99.0
Scan saved at 21:31:49, on 31/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Lee Sinclair\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack -
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {0A77F16C-2B1B-4133-BA25-3572133147F5} (AccessFormX Control) - http://configurator.apcc.com/products/powerstruxure/configurator/webtest/APCACC.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} -
O16 - DPF: {6A3C569A-059D-4E5C-8505-815773AD02DA} -
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} -
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} -
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} -
O16 - DPF: {DDF10EBB-ADF5-4A2E-8441-3C5D0D701A3B} -
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?316
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} -
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} -
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O23 - Service: Cofsltkt - CMD Technology, Inc. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



Any ideas ?
Thanks in advance
Lee
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Go to C:\WINDOWS\Downloaded Program Files, Right click on each item, go to properties and if it matches one in the list to remove delete it.

Let me know how that works.
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Hiya Cybertech,

Ok - went through that, there's only a handful of programs in that directory and none of them unforunately match the list you said to mark and fix.

Any other things that I should check for ?

Thanks for your help so far
Lee
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Hi Cybertech

Nope - just myself and the family, but we don't use separate logons.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Open a command prompt window, Start, Programs, Accessories, command prompt. Once in the window type the following and press enter
cd\windows\downloaded program files
That should put you in the directory. Next type dir and press enter.
What does that show?
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Now this is weird !

If I use Windows Explorer I can see the Downloaded Program Files directory within C:\windows

If I go to DOS prompt and go into Windows (cd \ windows) directory and type
dir d*.
to bring up a list of subdirectories beginning with the letter D the Downloaded Program Files directory doesn't appear !!

I've checked the properties for this directory in Windows Explorer and it isn't a hidden directory.

In Windows Explorer it shows the normal folder icon for this directory but unlike the rest there is a small 'Internet Explorer e' in the middle of it - don't know if this has some bearing on it.


Anyway, within Windows Explorer the directory listing is as follows :

Java Runtime Environment 1.4.2
Shockwave ActiveX Control
EPUImageControl Class
Windows Genuine Advantage Validation Tool
Shockwave Flash Object
QDiagHUpdateObj Class
YAddBook Class
MSN Chat Control 4.5
AccessFormX Control
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
I can't see my directory using that command in dos either, but if you move to the directory you'll get there.
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
ok managed to do it by going

cd \windows\downlo~1

(limitations with dos and more than 8 character file/directory names)

here's the directory contents :

Volume in drive C has no label.
Volume Serial Number is 2837-3EBC

Directory of C:\WINDOWS\DOWNLO~1

20/01/2005 13:12 23,552 AdStatServX.dll
21/01/2003 14:50 171,520 APCACC.OCX
05/12/2004 09:31 <DIR> CONFLICT.1
05/12/2004 09:32 <DIR> CONFLICT.2
05/12/2004 09:32 <DIR> CONFLICT.3
12/11/2004 15:01 968,272 EPUWALcontrol.dll
04/11/2004 17:26 539 EPUWALcontrol.inf
11/03/2004 11:35 1,271 erma.inf
05/01/2004 09:37 468,696 GrooveAX.dll
04/12/2003 20:08 789 HDPlugin1015.inf
15/06/2004 15:15 315,392 Install.dll
19/09/2003 15:58 819 kdx.inf
08/09/2004 08:07 319,752 LegitCheckControl.DLL
03/09/2004 09:54 493 LegitCheckControl.inf
18/06/2003 17:01 691 McGDMgr.inf
09/03/2004 14:08 678 mcinsctl.inf
20/01/2000 14:25 1,162 Microsoft XML Parser for Java.osd
18/09/2003 19:36 32,768 MsnChat40en-us.dll
16/05/2003 16:33 278 MsnChat45.inf
16/05/2003 16:33 457,288 MSNChat45.ocx
17/02/2004 16:52 728 qdiagh.inf
22/09/2003 22:23 8,408,472 QuickTimeInstallCache.qdat
08/12/2003 12:58 3,759 swflash.inf
20 File(s) 11,176,919 bytes
3 Dir(s) 7,458,852,864 bytes free
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Cybertech

so is it the following file that could be the problem ??

20/01/2005 13:12 23,552 AdStatServX.dll
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Yes, I would delete that file.

Also be sure to look in those conflict.1 2 and 3 folders to see what's hiding in there.
 

lee s

Thread Starter
Joined
Jan 31, 2005
Messages
8
Hi Cybertech,

Not sure if you have any other ideas at this point .. I've deleted all the items in the directory and re-booted. The problem still exists on reboot - and c:\windows\downloaded program files is completely empty now.
I've deleted the subdirectories as well - there was nothing in them anyway !

Where else do you think it is worth looking to see how its re-installing itself back into the registry each time ?

A bit of a stab in the dark .. but can you write protect the registry to stop items being added - hopefully causing an error message when the spy software tries to do it business and maybe revealing what it is ?

Lee
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top