Solved

Has CWS.SmartSearch.2 still got me? CWShredder says I'm safe but...I'm not so sure.

Posted on 2004-08-15
14
956 Views
Last Modified: 2010-04-12
Each time I open CWShredder v.1.59.0 and hit the "Check for update" button I get the "Fetching CWShredder update....etc." panel. After a nominal minute, I get the message; "Unable to retrieve...etc. Server might be unavailable, try again later." This has been going on for 3 days. This is the SWI site and I realize that it is very busy and that it has been under "attack' for some time now, but 3 days of failing to get thru seemed excessive.

What has me most concerned is the following sequence of events; 3 days ago on my first attempt, I opened CWS Shredder and checked for updates, the message came up that there were updates available. I hit the "Download and open the update", a message popped on screen informing me that "...CoolWebSearch trojan (CWS.SmartSearch.2) has attempted to...etc...to counter this,....random string of text,...Cws is still functioning....has not been corrupted." When I closed that message, I was back at the CWSHredder opening panel. Closing and restarting CWShredder, I again hit  the Check for updates, got the "Fetching...etc." and then after the short wait I got the "Unable to retrieve...etc.". Since that time, after 10 or 12 attempts each day I am still unable to reach the updates. Further:

Yesterday, on 2 of my attempts, as soon as the CWShredder panel hit the screen, the "....CWS.SmartSearch.2 has attempted to close CWShredder...etc." came up. Yesterday I was plagued with a lot of "failures to respond", inability to remove programs by means of "Add/Remove" (MediaPlayer 7.1 specifically) it would take control of my machine, locking me up in whatever program was running, dead mouse, etc. The 3 finger salute was the only way out. On each of these occassions. WMP7.1 was the prime offender. After 5 or 6 hours of work with Regedit, Explorer, and 3 different registry utilities I managed to get rid of MediaPlayer and the lock-ups. During all of this, IE has never seemed to be affected.

I have run Panda, Housecalls, and McAfee several times. All 3 report nothing. I run SpywareBlaster, Spybot S&D, Ad-Aware daily, always after seeking updates. All of them have nothing to report.

Well, wouldn't you just know it, as of 2 minutes ago; I attempted the CWShredder update routine and finally it got past the "Unable to retrieve" and it said there was an update. I hit "Download and open the update", got the "Connecting", waited it out, and got the download, but, "An error occurred opening the downloaded file"......  "You need a file compression program like Winzip....etc".  My trial period with Winzip expired yesterday, I have no means by which to open the download. Any suggestions? I need a means of unzipping zipped downloads...Googling brings up several possibilities but I have no familiarity with any of them and am therefore fearful to select one. I really liked the Winzip but I just can't afford it (or anything else for that matter - my signature says it all, plain and simple). I'm not cheap and looking for free rides, I'm just living on very limited means and there is no room in the budget for anything more than necessities.

I have submitted my most recent HJT log to SWI for evaluation and am waiting to see what that brings... if anyone here wants to look at it I will post it on request. I know that SWI, as well as you folks at EE, are swamped so if it takes some bit of time to get to my query I'll understand, but believe me, I will be waiting with great antici...........pation (as Dr. Frankenfurter, in Rocky Horror Picture Show put it).

In summary, I am concerned that CWS.SmartSearch.2 is still lurking somewhere, waiting for another exploitable such as MP7.1.

This may be relevant; whenever I have run HJT during the past few days it does that "quick as a flash" scan and then stalls for about 45 seconds, the progress bar is about 90% across and it says "015 - Trusted Zone enumeration...", during the delay my mouse is essentially dead. After the delay, HJT finishes the scan and all is normal.

In passing; if BillDl hits me again with the Tweakui stuff, forget it Bill...that thing is still doing crazy stuff, but nothing that is of great import in this issue, have a good one BillDl.

Thanks for any help, advice, or commentary anyone would care to offer. Harshale


0
Comment
Question by:harshale
14 Comments
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

I just took a look at your log, just be patient - you're in good hands there!
I'll follow you're progress there!
Yes, you have some "unpleasant" stuff on your computer!
One thing that you should do is upgrade HijackThis to the latest version - 1.98.2
It's available here:
http://www.subratam.org/?page=removal
Or:
http://www.zerosrealm.com/downloads/hjt.zip
Then, repost a new log file.
Also, feel free to post a log file here - there are people here who can deal with these things.
Regards...
RF
0
 

Author Comment

by:harshale
Comment Utility
Greetings Rossfingal,

I have downloaded the HJT upgrade but cannot install it due to my lack of an "unzip utility"...as I said in my first post, my trial period of Winzip expired yesterday, now I have no way to install any zip downloads.

I will include the most recent HJT log, hopefully that will help.
One thing that seems odd to me is the triple entry: C:\Program Files\Internet Explorer\Explore.exe   I have gone there in Windows Explorer and find only one such entry yet, HJT reports it 3 times. Also, 8 of the 9 items bearing an 09 prefix are suffixed with "File Missing", I'm always tempted in these cases to just eliminate the item(s), I mean, if the file ain't there, why carry listings which reference missing files?

In any case, my first hurdle is obtaining a utility by which I can unzip and open these updates/upgrades. Until I can do that I'm dead in the water. Again, any suggestion as to a good utility for this purpose?

Thanks for your reply,  Harshale

Logfile of HijackThis v1.98.1
Scan saved at 11:22:38 AM, on 8/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TI ADSL\BIN\WIN9X\TIDSLMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PRODIGY COMMUNICATIONS\PRODIGY DSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\START MENU\PROGRAMS\SECURITY\CWSHREDDER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dslhome.prodigy.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/Player_wallpaper.jpg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =                              HYDRA - MEDUSA
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN9X\tidslmon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4382/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

0
 
LVL 6

Expert Comment

by:akboss
Comment Utility
try this zip program. I have used it for years without a problem.

http://www.pcworld.com/downloads/file_description/0,fid,6383,00.asp
0
 
LVL 5

Expert Comment

by:ravisimpi
Comment Utility
May be the 'Coolwebsearch' is still there in your system.

try this tool which will remove that trojan.

  Here's the link

http://www.safer-networking.org/files/delcwssk.zip

 I have posted the link here with the reference from this website

http://www.spywareinfo.com/~merijn/downloads.html
0
 

Author Comment

by:harshale
Comment Utility
Greetings, ravisimpi, I downloaded  the delcwssk.zip to may desk-top and unzipped from there. I am unsure of what I have accomplished.
It appears that it upgraded my CWShredder from ver. 1.56.0002 to ver.1.59. It has also added; "miniremoval_coolwebsearch_smartkiller.exe" in 2 locations, 1 - C:\Program Files, and 2 - C:\unzipped\delcwssk.
What has me wondering is that I when I go to either location and click to open "miniremoval....etc.", I get a message that "Coolwwwsearch.smartkiller (v1/v2) has not been found on your system."
 What does this message mean? Does it indicate a faulty installation of "delcwssk"?.... or does it mean that the item which delcwssk is designed to destroy (Coolwwwsearch.smartkiller?) is not on my system? I hope it is the latter.

A few days ago I had spent a 16 hr. span ridding my self of some variant of CWS, after searching thru EE, I found some help, the "accepted answer" by spiderfix gave me the clue I needed...wmplayer.exe had been taken over. In spite of the fact this was in the XP area I was able to extrapolate from there enough info to allow me to get it out of my 98SE. I'm including the Experts Exchange link to that discussion and solution just in case it might be helpful.

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21043564.html#11440389

Thank you for your recommendation and thank you for any further help you may give me.          Harshale
0
 
LVL 6

Accepted Solution

by:
akboss earned 500 total points
Comment Utility
>> get a message that "Coolwwwsearch.smartkiller (v1/v2) has not been found on your system."

This means that your system is clean of this type of Cool Search .
Smartkiller shuts down the regular CWShredder.

and I take it you now have a unzip utility.

Post another HJT log just to make sure everything has been taken care of.
0
 

Author Comment

by:harshale
Comment Utility
akboss,
That's great news!!

On the zip front:  I tried one and it looked great but during the installation I was asked too many times to make selections concerning things about which I knew nothing!  I tend to go with defaults on installations, and learn from there. This Wizard was too tough for me, so I bailed out on that one and found another that is doing the job, as is evidenced, in that the 2 downloads referrenced in these posts have been successful.

The HJT log; coming up, but first: there were 8  09 listings all faulted for "File Missing", I just wiped them out and looked for the debris and got rid of it. That explains their absence in this report, Thank you for taking an interest in this, it's not only helpful to me but I also learn something more. Thanks again     Harshale

Logfile of HijackThis v1.98.1
Scan saved at 4:59:35 PM, on 8/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TI ADSL\BIN\WIN9X\TIDSLMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PRODIGY COMMUNICATIONS\PRODIGY DSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dslhome.prodigy.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/Player_wallpaper.jpg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =                              HYDRA - MEDUSA
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN9X\tidslmon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4382/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:akboss
Comment Utility
fix these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


other than those your log looks good.

Just remember to run ad-aware, spybot,and CWShredder at least weekly.
I run them when I run my A/V.

Its what I do and what I tell my clients they must do.

0
 

Author Comment

by:harshale
Comment Utility
akboss:

I've had my eye on those two R0 entries for days, mainly because at some time in the past someone had me get rid of them while cleaning up a few other items. I know not when they show up or what brings them in. They never seem to cause any problem so I've just let them ride. I'll start dumping them as soon as they show up from here on. Just out of curiosity: what are they about?, why are there always 2 of them, etc....do you have any place to refer me to in order to learn more?

As far as Ad-Aware, Spybot, SpywareBlaster, etc.....I run them daily....too much free time on my hands I guess.
Thanks,     Harshale
0
 
LVL 6

Expert Comment

by:akboss
Comment Utility
The R0's are in your registry.
>>NOTE! When working in registry ALWAYS make a backup of your registry in case of a mistake. You then can correct it by going back.<<

go to start>run>type in regedit>then ok>go to HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main and then look for
Local Page = . Highlight it and right click and click on delete. This will remove it from your system.

Just go to HKEY_LOCAL_MACHINE to find the other one










\\\,
0
 

Author Comment

by:harshale
Comment Utility
akboss,
Over a period of months I've run that drill some many times I've lost count. They always return at some point. When they are there, my registry scanner reports them as "Invalid Path" or some such thing, it is missing an item "blank.htm"

I did a find Files and Folders search and found the missing blank.htm at C:\Windows\System\Oobe\. I modified the registry entries at CU, LM, and a third I found at  Users\.default...\....\...etc\Main\ Local Page,  from; C:\Windows\System\blank.htm to C:\Windows\System\Oobe\blank.htm.  This keeps my registry scanner from whining. The 2 RO entries still come back but now they are carrying the proper address instead of being blank. I have no idea what they are all about but I'm not concerned. Everything is operational. Outside of that...nothing to report. Thanks, Harshale
0
 
LVL 6

Expert Comment

by:akboss
Comment Utility
Well glad we could be of help to you.
0
 

Author Comment

by:harshale
Comment Utility
akboss,
 One last report: since my last post I Googled up "Oobe" and found it to be a bunch of garbage....I put the "blank.htm" back in C:\Windows\System, did a Find Files...etc; Named: Oobe, and deleted every thing that had 2 O's in it (well, not quite that bad), but I got rid of Oobe in one stroke. The RO entries are gone now and so is a lot of other pesty trash that has been around. All in all it's been a good day....of course this thing will strike back eventually, it always finds a way. I've named it "Hydra - Medusa", it's like dealing with a barrel full of Medusas in a swamp full of Hydras. But it beats watching the news.

Adios, and take care, and thanks to all at Experts Exchange for being there and doing the fine work which you've been doing for so very long.   Sincerely,  Larry Harsha
0
 
LVL 6

Expert Comment

by:akboss
Comment Utility
Well thank you for the high praise and if there are other problems dont be shy about asking. Plenty of great experts here to help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Read about achieving the basic levels of HRIS security in the workplace.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now