Solved

Windows error service: Spyware? Virus?

Posted on 2004-05-02
31
8,855 Views
Last Modified: 2008-02-01
Hi,

I recently started getting an error message:

Title: Windows error service
Message: Windows detected Spyware on your computer. Download free spyware scanner & Remover.

Theres an OK and CANCEL button, i have not up until now clicked on the "OK" button because i have a feeling it is not an original windows error message. It pops up occasionally.

Can someone tell me what it's about and is it a legal message? Could it be a potential virus of some kind? If so how can i get rid of it or find it's executing source on my PC?

Thanks,
Zephyr__

0
Comment
Question by:Ravi Singh
  • 11
  • 11
  • 7
  • +2
31 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 25 total points
ID: 10972605
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972609
Download HijackThis from here, run it and Post the Log File here:
http://www.softpedia.com/public/cat/10/17/10-17-69.shtml
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 25 total points
ID: 10972614
Windows on its own usually doesn't throw these kind of errors so...

Check for adware and sypware all are free except Spycop: http://www.spycop.com/

Also use SpyBot and AdAware in tandem. Neither is 100% accurate but the two of them together get pretty close to 100% accuracy.

spybot here
http://www.safer-networking.org/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Not Free
Spycop:
http://www.spycop.com/
==========================

Could be a Broweser high jacker behind the problem

This little didy will get rid of some of the more well known Home page Hijackers.
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html 
here is a description of what it does
http://www.softpedia.com/public/cat/10/17/10-17-143.shtml
Features:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

download here
http://www.spychecker.com/download/download_coolwebshredder.html
----------------------------------

Could be a Broweser high jacker behind the problem
Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.
=======================

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972631
>>>Theres an OK and CANCEL button, i have not up until now clicked on the "OK" button because i have a feeling it is not an original windows error message. It pops up occasionally.

Very wise not to click the OK button like you said it doesn't appear to be legit Windows message. Perhaps it is coming from a web site you are visiting or something go installed on your system. Are you using Kaaza, if so then that is probably the culprit.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972633
CrazyOne, can u plzz have a look at this question >> http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20975227.html

Either im not getting what he is asking, or he is not getting what im telling :-\
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972671
Logfile of HijackThis v1.97.7
Scan saved at 19:22:29, on 02/05/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\drivers\csrss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Winterbottom\Desktop\hijackthis1977\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://svcs.microsoft.com/svcs/mms/addin.asp?Plcid=0409&Version=4.7&CLCID=0409&BrandID=WindowsMessenger&Country=UK
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.xxxtoolbar.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe?url=http://66.117.38.54:80/dexGB562.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A23A6ED3-B9A1-44A8-9C9B-CD052DDBD006}: NameServer = 62.241.160.200 158.43.240.3

0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972681
At the moment there are about 4 people sharing my pc with me, ive asked them and one of them actually said it could have been him who accidentally downloaded something from the internet yesterday. Is there anyway of seeing what files were opened yesterday (1/05/2004)

0
 
LVL 7

Expert Comment

by:rhrowson
ID: 10972686
Turn on the Firewall and only allow the services you need
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972688
This one looks fishy O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972696
Not sure about this one HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972699
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

adn these two also look suspisious to me :-\
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972711
When the message pops up i click on ctrl+alt+delete click on the process for the message and services.exe in the process tab.

Is this of any help
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972712
> O15 - Trusted Zone: http://*.flingstone.com
> O15 - Trusted Zone: http://*.mt-download.com
> O15 - Trusted Zone: http://*.xxxtoolbar.com


Have u added these sites to Trusted Zones urself ??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972719
> O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

And im sure this is that entry :)

Right Crazy ??
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972723
sorry that wasnt clear,

when i right click on the process it gives an option saying "go to process", when i click that it highlights the "services.exe" file in the processes tab.
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972727
Them sites were'nt added by me, it might have been one of my flat mates.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972737
How many services.exe do you see listed? There is a legit services.exe but it doesn't run from this folder "C:\WINDOWS\system32\inetsrv\services.exe" it runs from the "C:\WINDOWS\system32\" folder
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972744
i deleted the services.exe from

"C:\WINDOWS\system32\inetsrv\services.exe"

but the message still seems to pop up
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972749
Ok now when i check the process it takes me to the csrss.exe
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972752
in the windows task manager there are two processes named csrss.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972760
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.xxxtoolbar.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe?url=http://66.117.38.54:80/dexGB562.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
 

Run hijacthis, check these entries, and click on FIX
reboot the amchine and now check for the problem.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972785
Ok end one of the csrss.exe. If your system doesn't complain about the one you killed then go to C:\WINDOWS\system32\drivers\ and delete csrss.exe
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972794
Actually you should really run an antivirus scanner and AdAware/Spybot.
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10972933
Hi,


O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe


I used HiJackThis to fix these files, restarted pc and same error happens. I also deleted these files manually myself but when i restart the pc they come back! And when i run the sysconfig utility both of them files are selected on startup. when i untick them and restart they seem to appear again as selected.

Could it be another file which is somehow generating these two files?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972948
Downlaod these softwares and scan the system with them !!

AdAware==> http://www.webattack.com/download/dladaware.shtml
SpyBot ==> http://www.webattack.com/download/dlspybot.shtml
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html 
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10972954
and run them in safemode !!
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10973266
Hi SheharyaarSaahil,

I scanned the computer using the software your recommended and i also allowed the software to fix any problems it found. But still i seem to get the error message.

Any more ideas?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10973421
run hijackthis again, and post the log here !!
0
 
LVL 18

Author Comment

by:Ravi Singh
ID: 10973495
Hi SheharyaarSaahil,


I seem to have got ridden of the message, i'm assuming one of the programs you recommended must have done it some how! I'm not sure what caused the error or exactly which software did the trick. Anyway thanks for your patience and help, appreciated.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10973502
that's good :)

!! HAVE A NICE TIME !!
0
 

Expert Comment

by:dew100
ID: 11526344
Logfile of HijackThis v1.97.7
Scan saved at 11:54:54 PM, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\drivers\csrss.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\cleaner.exe
C:\WINDOWS\cleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\LocalService\Application Data\laeb.exe
C:\WINDOWS\System32\hza.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\tlryo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\Old HDD\My Documents\DOC's\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tbaytel.net/templates/main_template.asp?section_id=3&page_id=3
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6CFA4B7D-E868-29CF-8652-10550CA5286B} - C:\WINDOWS\System32\xhobome.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://*.flingstone.com
O15 - Trusted Zone: http://*.mt-download.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1089154018877
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.375150463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{083BA8C2-77A8-4E8E-9AA4-2B7D4BCB0986}: NameServer = 216.211.26.14 216.211.26.15


Spy Sweeper got Purity Scan, go2net.com which always show up----Spybot got Purity
 and DSO Exploit but couldnot fix Exploit---Webshredder was clean ---Stinger clean too
But on deleteing cookies  and temporary internet files a DATFile 48K would not delete
it was being used by another person or program-- so far the sme popup show but the Explorer initialization error doesnot--  what is next
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question