Solved

Windows error service: Spyware? Virus?

Posted on 2004-05-02
31
8,841 Views
Last Modified: 2008-02-01
Hi,

I recently started getting an error message:

Title: Windows error service
Message: Windows detected Spyware on your computer. Download free spyware scanner & Remover.

Theres an OK and CANCEL button, i have not up until now clicked on the "OK" button because i have a feeling it is not an original windows error message. It pops up occasionally.

Can someone tell me what it's about and is it a legal message? Could it be a potential virus of some kind? If so how can i get rid of it or find it's executing source on my PC?

Thanks,
Zephyr__

0
Comment
Question by:Ravi Singh
  • 11
  • 11
  • 7
  • +2
31 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 25 total points
Comment Utility
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Download HijackThis from here, run it and Post the Log File here:
http://www.softpedia.com/public/cat/10/17/10-17-69.shtml
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 25 total points
Comment Utility
Windows on its own usually doesn't throw these kind of errors so...

Check for adware and sypware all are free except Spycop: http://www.spycop.com/

Also use SpyBot and AdAware in tandem. Neither is 100% accurate but the two of them together get pretty close to 100% accuracy.

spybot here
http://www.safer-networking.org/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Not Free
Spycop:
http://www.spycop.com/
==========================

Could be a Broweser high jacker behind the problem

This little didy will get rid of some of the more well known Home page Hijackers.
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html
here is a description of what it does
http://www.softpedia.com/public/cat/10/17/10-17-143.shtml
Features:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

download here
http://www.spychecker.com/download/download_coolwebshredder.html
----------------------------------

Could be a Broweser high jacker behind the problem
Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.
=======================

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
>>>Theres an OK and CANCEL button, i have not up until now clicked on the "OK" button because i have a feeling it is not an original windows error message. It pops up occasionally.

Very wise not to click the OK button like you said it doesn't appear to be legit Windows message. Perhaps it is coming from a web site you are visiting or something go installed on your system. Are you using Kaaza, if so then that is probably the culprit.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
CrazyOne, can u plzz have a look at this question >> http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20975227.html

Either im not getting what he is asking, or he is not getting what im telling :-\
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
Logfile of HijackThis v1.97.7
Scan saved at 19:22:29, on 02/05/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\drivers\csrss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Winterbottom\Desktop\hijackthis1977\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://svcs.microsoft.com/svcs/mms/addin.asp?Plcid=0409&Version=4.7&CLCID=0409&BrandID=WindowsMessenger&Country=UK
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.xxxtoolbar.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe?url=http://66.117.38.54:80/dexGB562.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A23A6ED3-B9A1-44A8-9C9B-CD052DDBD006}: NameServer = 62.241.160.200 158.43.240.3

0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
At the moment there are about 4 people sharing my pc with me, ive asked them and one of them actually said it could have been him who accidentally downloaded something from the internet yesterday. Is there anyway of seeing what files were opened yesterday (1/05/2004)

0
 
LVL 7

Expert Comment

by:rhrowson
Comment Utility
Turn on the Firewall and only allow the services you need
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
This one looks fishy O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Not sure about this one HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

adn these two also look suspisious to me :-\
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
When the message pops up i click on ctrl+alt+delete click on the process for the message and services.exe in the process tab.

Is this of any help
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
> O15 - Trusted Zone: http://*.flingstone.com
> O15 - Trusted Zone: http://*.mt-download.com
> O15 - Trusted Zone: http://*.xxxtoolbar.com


Have u added these sites to Trusted Zones urself ??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
> O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

And im sure this is that entry :)

Right Crazy ??
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
sorry that wasnt clear,

when i right click on the process it gives an option saying "go to process", when i click that it highlights the "services.exe" file in the processes tab.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
Them sites were'nt added by me, it might have been one of my flat mates.
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
How many services.exe do you see listed? There is a legit services.exe but it doesn't run from this folder "C:\WINDOWS\system32\inetsrv\services.exe" it runs from the "C:\WINDOWS\system32\" folder
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
i deleted the services.exe from

"C:\WINDOWS\system32\inetsrv\services.exe"

but the message still seems to pop up
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
Ok now when i check the process it takes me to the csrss.exe
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
in the windows task manager there are two processes named csrss.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.xxxtoolbar.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe?url=http://66.117.38.54:80/dexGB562.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
 

Run hijacthis, check these entries, and click on FIX
reboot the amchine and now check for the problem.
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Ok end one of the csrss.exe. If your system doesn't complain about the one you killed then go to C:\WINDOWS\system32\drivers\ and delete csrss.exe
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Actually you should really run an antivirus scanner and AdAware/Spybot.
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
Hi,


O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe


I used HiJackThis to fix these files, restarted pc and same error happens. I also deleted these files manually myself but when i restart the pc they come back! And when i run the sysconfig utility both of them files are selected on startup. when i untick them and restart they seem to appear again as selected.

Could it be another file which is somehow generating these two files?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Downlaod these softwares and scan the system with them !!

AdAware==> http://www.webattack.com/download/dladaware.shtml
SpyBot ==> http://www.webattack.com/download/dlspybot.shtml
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
and run them in safemode !!
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
Hi SheharyaarSaahil,

I scanned the computer using the software your recommended and i also allowed the software to fix any problems it found. But still i seem to get the error message.

Any more ideas?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
run hijackthis again, and post the log here !!
0
 
LVL 18

Author Comment

by:Ravi Singh
Comment Utility
Hi SheharyaarSaahil,


I seem to have got ridden of the message, i'm assuming one of the programs you recommended must have done it some how! I'm not sure what caused the error or exactly which software did the trick. Anyway thanks for your patience and help, appreciated.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
that's good :)

!! HAVE A NICE TIME !!
0
 

Expert Comment

by:dew100
Comment Utility
Logfile of HijackThis v1.97.7
Scan saved at 11:54:54 PM, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\drivers\csrss.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\cleaner.exe
C:\WINDOWS\cleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\LocalService\Application Data\laeb.exe
C:\WINDOWS\System32\hza.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\tlryo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\Old HDD\My Documents\DOC's\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tbaytel.net/templates/main_template.asp?section_id=3&page_id=3
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6CFA4B7D-E868-29CF-8652-10550CA5286B} - C:\WINDOWS\System32\xhobome.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1089154018877
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.375150463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{083BA8C2-77A8-4E8E-9AA4-2B7D4BCB0986}: NameServer = 216.211.26.14 216.211.26.15


Spy Sweeper got Purity Scan, go2net.com which always show up----Spybot got Purity
 and DSO Exploit but couldnot fix Exploit---Webshredder was clean ---Stinger clean too
But on deleteing cookies  and temporary internet files a DATFile 48K would not delete
it was being used by another person or program-- so far the sme popup show but the Explorer initialization error doesnot--  what is next
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now