Spyware HELL...

[FLYING SE7EN]

My computer at my house is freakin spyware central. I update and run Ad Aware daily, and there is always over 100 items that need to be deleted!!! I also run SpyBot and that finds even more.

 

I've installed all of MS's updates to IE and the Google toolbar and I still get popups galore! My browser is getting highjacked and the homepage changed and now I'm getting popups on my f-ing desktop!!!!

 

Anyone have any ideas on what I can do??

 

BTW, I have cable highspeed going through a firewalled D-Link router.

 

J.

[JoeyN]

Do you have Zone Alarm running?

 

I have it running and when a new program tries to go outbound a pop up comes up and you can block it.

 

capt

[Romier S]

Do you have Zone Alarm running?

 

I doubt it Joey:

 

I have cable highspeed going through a firewalled D-Link router.

 

Firewalled Router etc...

[JoeyN]

I have Zone Alarm and the Router as the Router only stops incoming

 

capt

[foogledricks]

Download zonealarm for free right now. it alerts you whenever a program tries to access the internet, and is your second line of defense should a trojan make it to your computer. Just last night some program tried to access the internet. I stopped it with zonealarm. Removed the process. Googled the file. Found out what it was. And then tooks steps to remove it. I would never have known if ZoneAlarm wasn't running.

 

http://download.zonelabs.com/bin/free/1012..._50_590_043.exe

[FLYING SE7EN]

When I had Zone Alarm running, it was messing up my ability to get connected. Even with it not running, it was keeping me from being able to use my ftp software and running Norton LiveUpdate so I had to unistall it.

 

How do you configure it with a router???

[JoeyN]

The newer versions were made to work better with routers

 

capt

[Robot Monkey]

Two things:

 

1. Like the others suggested, run a firewall. I use McAfee Personal Firewall and don't have any connection or configuration problems.

 

2. Use Spybot 1.3. It's free and will catch a bunch of stuff that AdAware misses. You can still use AdAware.

 

-j

[Romier S]

I have Zone Alarm and the Router as the Router only stops incoming

 

 

I know, he just never mentioned ZA which is why I noted the router Joey.

 

Even with it not running, it was keeping me from being able to use my ftp software and running Norton LiveUpdate so I had to unistall it.

 

Are you sure you had the proper permissions set in ZA? ZA can be terribly finicky if it has certain programs set in its block list etc.

 

The Spybot and Adaware solutions are both good but sometimes they do not detect "installed" programs that could be running in the background on your system. You may want to run through your add/remove program control panel and remove any misc. programs that you do not recognize. If your home page is being hijacked I'm fairly certain you have some kind of redirect Malware on the system like "Incredifind" etc. that imbeds itself into your registry and well those things are a BITCH to remove.

 

Might I also recommend a program called "Hijack This". Run a scan and post the logs on here and we can see what you've got running. May give us a bit more info with which to help you with.

[Chris F]

I use the following:

 

Ad-Aware - http://www.lavasoftusa.com/

Spybot S&D - http://www.safer-networking.org/index.php?page=download

HijackThis - http://tomcoyote.com/hjt/

 

With this combination I've never gotten infected with spyware or adware of any sort. Your best bet though is to be extremely careful when installing software, and do a little research on the programs before you install them.

 

Try here for starters.

 

http://www.spywareguide.com/

[blackcalx]

I feel your pain, sir. My wife's computer suddenly became a hotbed of spyware. The Google toolbar would dissapear to be replaced by one of several free search tools. Everything was hijacked from the Google home page to the Windows Update page. Ad-Aware would catch well over 150 new items every day and SpyBot would catch a few more. The problem is that neither of them could get rid of it all.

 

I was getting constant pop ups and the files that were running the show were running as several hidden services so I could never completely disable them, terminate them, or delete them.

 

To this day I still don't know how she got it all as I know she's as careful as I am with file attachments and downloads. Sadly, the only thing I could do in the end was to back up the important stuff and reformat the computer. I fought it for two months and just couldn't deal with it any more.

 

EDIT: I should also note that I hased SpyBot, Ad-Aware, HijackThis and a number of other tools to attempt to remove the spyware, but I was unsucessful.

[Romier S]

Again guys please keep in mind that Flying Seven is already using Adaware and Spybot on his computer. He noted that he is updating them daily and still recieving tons of popups and more spyware related problems. Hijack This is going to be able to tell us what the root of the problem is, not a bandaid for it.

[fishepa]

I have a suggestion, don't use IE. :green:

[Romier S]

I have a suggestion, don't use IE

 

Can't argue with that. :tu:

[Robot Monkey]

Originally posted by FutureVoid@Jun 26 2004, 11:06 AM

Again guys please keep in mind that Flying Seven is already using Adaware and Spybot on his computer.

Whoops, I missed that; I thought he was just using AdAware. But like Romier and others suggested, get a personal firewall running.

 

-j

[kelley]

I have another suggestion....don't use Windows

 

But seriously, I think everyone so far has offered you some great advice.

[JoeyN]

Since someone suggested not using IE, Use a browser like Mozilla(mozilla.org) which has the built in pop up blocker.

[FLYING SE7EN]

O.K., I've downloaded and installed ZoneAlarm and Hijack this. All of my programs are working. Here is the Hijackthis log.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:02:48 PM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\netdde.exe

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Program Files\Nikon\NkView5\NkvMon.exe

C:\WINDOWS\system32\clipsrv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\uickTimeVRQ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Preferred Customer\My Documents\My Downloaded stuff\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.15:21;http=192.168.0.15:80

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu

R3 - Default URLSearchHook is missing

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Preferred Customer\Application Data\Mozilla\Profiles\default\zxxiw9e2.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Sfr88l14.exe

O4 - HKLM\..\Run: [bRAWHjpX.exe] C:\documents and settings\preferred customer\local settings\temp\BRAWHjpX.exe

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [uickTimeVRQ] C:\WINDOWS\System32\uickTimeVRQ.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [bwtmRibtX] igf3d95.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: Support (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/27812d0bc6a3a22c0a15/netzip/RdxIE2.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.21/ttinst.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qba.webex.com/client/v_intuit/support/ieatgpc.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...339/mcfscan.cab

 

What do you think?

[FLYING SE7EN]

If your home page is being hijacked I'm fairly certain you have some kind of redirect Malware on the system like "Incredifind" etc. that imbeds itself into your registry and well those things are a BITCH to remove.

 

I have a folder for incredifind in the program folder on my C drive. Inside is a BHO (Browser helper object I think). If I delete the folder, will I be ok or should clean the registry???

[blackcalx]

Originally posted by FLYING SE7EN@Jun 26 2004, 01:46 PM

I have a folder for incredifind in the program folder on my C drive. Inside is a BHO (Browser helper object I think). If I delete the folder, will I be ok or should clean the registry???

You should try to do both. I had several folders appear on my wife's computer and no matter how many times I deleted the folders they always came back. In some cases I was unable to delete the folders because it said that they were in use. This was because I had several processes running that were locking things down. I wasn't even able to terminate the processes.

[Graeme]

One thing to remember with Adaware and Spybot (which I haven't used much), 100 files is nothing since it's going to find all your cookies too. I just scanned and got 116 files, but every one of them was a cookie.

 

What I've been doing lately is regularily checking my registry to see what is being loaded at boot, and if I don't know what it is, I'll delete it. A little dangerous perhaps, but I haven't have any problems so far, and if I'm really unsure what it is, a little searching on the internet usually turn something up... especially if it is spyware.

 

Looking at what is running in your reg, two jumped out at me, for whatever reason, dp-him.exe and uicktimevrq. Uicktime I'm not sure about, but just about every link on google for dp-him.exe is to a forum with people posting Hijack logs, and dp-him looks to be a reccommended deletion. I can't find out what it actually is though.

[scobeto]

My PC was so riddled with spy/adware, that I just reformatted the HDD.

 

I seemed to have more problems after I installed adaware and spybot than I did before I was using them. ie more pop-ups, toolbars, icons randomly appearing on my desktop, etc.

[FLYING SE7EN]

Well after some intense cleaning, I think I've purged most of it. I've deleted a lot of shit and I hope it doesn't come back to bite me in the ass.

 

Most of the stuff I found using a combination of all of the apps. I used the program access section of zone alarm to find out that a program called KERN32 kept trying to access the internet through several different .exe files. Then I used task manager to see which ones were running. I denied access to the files and then started to end the processes. As soon as I ended the process, ZA would put up a box saying that the program was trying to access the internet, presumably to call home.

 

These executables were a bitch to get off the computer. All of them were in the Windows/System 32 folder. When you try to delete them, you get a warning that it is a system file and deleting it could cause problems. I guess thats why they install them here, to make you afraid to delete them. Here is a list of the ones I have deleted:

 

Bewls09.exe

DozNu4.exe

Ows1B4.exe

QvaU5uFJ.exe

Yfl8.exe

Cpc5X.exe

FpwW2mn.exe

Sfr88l14.exe

YkgT.exe

 

That last one was a real bitch. It would restart as soon as I ended the process! Finally I got it deleted. Here is my latest HijackThis log:

Logfile of HijackThis v1.97.7

Scan saved at 10:13:49 AM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Nikon\NkView5\NkvMon.exe

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\system32\clipsrv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Preferred Customer\My Documents\My Downloaded stuff\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.15:21;http=192.168.0.15:80

R3 - Default URLSearchHook is missing

N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Preferred Customer\Application Data\Mozilla\Profiles\default\zxxiw9e2.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [bwtmRibtX] igf3d95.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: Support (HKCU)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qba.webex.com/client/v_intuit/support/ieatgpc.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...339/mcfscan.cab

 

I've still had my browser homepage jacked, but it takes me to msn.com not the spyware sites so its better than it was but I still want to find out how it keeps getting changed without my permission. BTW, I use about:blank as my homepage.

 

Thanks.

J,

[Romier S]

Hey man,

 

Give this a shot. Its step by step instructions on how to get "Incredifind" off of your system. Like I said...its a bitch.

 

http://www.kephyr.com/spywarescanner/libra...ind/index.phtml

[FLYING SE7EN]

Thanks for the link. Looks like I already deleted it, because I couldn't find any of the the registry entries on my system. Thanks.

 

J.