Pop-ups from AUBrowse...

Hi,

I've getting this pop-up from AUBrowse. The pop-up is a blank screen. And it happens whether I'm checking email or just browsing. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:11 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\StopItBlockItSystemTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\SDMonitor.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jae Park\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=21940
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\StopItBlockItSystemTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\WINDOWS\system32\SDMonitor.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe "
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SysW8] C:\PROGRA~1\CLEANS~1\csta.exe startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02CBDD6F-8599-4B91-84FF-4531C5C05098}: NameServer = 207.69.188.185 207.69.188.186
O17 - HKLM\System\CS3\Services\Tcpip\..\{02CBDD6F-8599-4B91-84FF-4531C5C05098}: NameServer = 207.69.188.185 207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

 

Your log appears to be clean. Did you ever check the properties of the popups as mentioned in your previous thread?

 

Hey Dave,


Yeah, I tried right clicking on the pop-up ad, but nothing happens. It doesn't occur as often as the pop-ups from instant access, in fact, sometimes I don't get any. Other times I'll get one, then I'll close the ad, then immediately I'll get another one. I run Spy-bot and other spyware detection programs and they all tell me that I'm clean. Maybe it's fairly harmless... Not sure...

J.

 

Okay... I did right click on the ad, but there was no option to choose properties. Just minimize, maximize, and close...

 

Now my computer runs very slow for some reason. It'll freeze when I run programs and/or won't respond when I close or try to open something. I have to "end task" pretty much every time I open something. It takes five minutes to dial to an internet connection etc...

 

Lets get a better look at things. Please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here. Takes quite a long time for it to finish, so be patient.

 

This may sound completely idiotic, but I can't seem to copy what's in the Virus Log window. Highlight and right click, but nothing. Maybe I have to purchase the rest of the software before they let me do this... not sure.

 

Hmm.....just left click in the lower results window to make it the active window. Then press Ctrl+A. It should highlight everything. Then Press Ctrl+C to copy, and in a reply window here, press Ctrl+V to paste.

If the list is rather large, that may be the problem also. Often times, many of the entries will be duplicate, so it's not necessary to copy the whole window.

 

Thanks for that lesson in basic computing... Here is the MWAV Virus Log:


Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\objectps.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iuser.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\IScript\iscript.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\Common\trdr3260.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\Common\rpmn3260.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\Common\rppr3260.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\Common\rput3260.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\msxml3a.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Twunk_16.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Twunk_32.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio v2.0\DPAPRE4DPSPRE7\index.html ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio v2.0\DPAPRE4DPSPRE8\index.html ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio v2.0\DPAPRE4DPSTBY7\index.html ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio v2.0\DPAPRE4DPSTBY8\index.html ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio v2.0\DPASTA4DPSPRE8\index.html ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Dell Computer\Dell Picture Studio v2.0\DPASTA4DPSTBY8\index.html ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DELL\High Speed Internet Offers\Consumer\html\index.htm ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\Setup.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\IGDI.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\objectps.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\DellSupport.EXE ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\EGDACCESS_1058.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\Setup.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\IGDI.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00014C0D-B007-4448-B89B-4EC3E857961D}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{10F34E64-BBB2-11D6-8A17-00E029570A3E}" refers to invalid object "C:\Program Files\America Online 9.0\sa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Pathfinder.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1853e19a-4e54-4190-8deb-2e1cc947cd60}" refers to invalid object "C:\Program Files\America Online 9.0\axtrack.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\sb.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B28020D-9DE7-11D4-A2D4-001083025146}" refers to invalid object "C:\Program Files\America Online 9.0\axclntbrg.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "D:\PROGRAM\32\mci32.ocx ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78d5-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78df-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78e0-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78e1-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{229b78e2-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{26D73573-F1B3-48C9-A989-E6CE071957A1}" refers to invalid object "C:\WINDOWS\system32\EGDACCESS_1057.dll ". Action Taken: No Action Taken.

 

Here's the 2nd half:

Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "D:\PROGRAM\32\mci32.ocx ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3D48B387-E74A-4651-A2ED-7FC490964319}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4634A8A8-E78E-4fed-9751-52307590D7F1}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E97BE17-3300-4A4F-B380-5988DD771F1F}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Ares.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5145942E-41DF-4658-B7C4-089F48E84A75}" refers to invalid object "C:\Program Files\America Online 9.0\axtrack.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{51B21D54-F57F-4ca1-93FF-D986E9F0A388}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Cerberus.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{60A07B6D-B66C-4339-BD52-EC9520FDCE6A}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{63603526-954A-42eb-8BEB-8E4BF2F636CB}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{639A19DD-1D97-4A6E-A0D1-01E04FED563F}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{741506D7-C215-48A1-8211-4CEFF2E8FE2C}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}" refers to invalid object "C:\Program Files\Common Files\aolshare\Coach\Player\coachdm2.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7629C9DE-2E38-4963-A01C-02FFAC203D87}" refers to invalid object "C:\Program Files\America Online 9.0\axtrack.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}" refers to invalid object "C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IScript7.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{777C8A05-5C36-11D5-ABAF-00B0D02332EB}" refers to invalid object "C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\Objps7.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{777C8A16-5C36-11D5-ABAF-00B0D02332EB}" refers to invalid object "C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32\IUser7.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7C9688C3-7279-474D-ABA5-A632373D2CDB}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\America Online 9.0\MIMEHook.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~2.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8AB5F344-B600-11D6-8A15-00E029570A3E}" refers to invalid object "C:\Program Files\America Online 9.0\sa.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\America Online 9.0\MIMEHook.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~2.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPUPF.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99720901-B635-43bd-83E6-D084A990F15A}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9DC1221E-0B36-445a-A2D1-FCA92E502834}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A105BD70-BF56-4D10-BC91-41C88321F47C}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~2.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AED456C4-4866-4420-863F-35767EBED514}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B4087707-EFB7-46C0-830E-714899CCE724}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B4F80028-5714-4B7B-B9B1-5748B204799A}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B9F3009B-976B-41C4-A992-229DCCF3367C}" refers to invalid object "C:\Program Files\America Online 9.0\axtrack.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\America Online 9.0\Media\CDDBControl.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "D:\PROGRAM\32\mci32.ocx ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C28BC286-884C-4a63-8A9C-6F7F5711034F}" refers to invalid object "C:\Program Files\America Online 9.0\Media\NmpX\nmpx.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C8B29238-05AD-421E-8B44-1C11C43FAE1C}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}" refers to invalid object "C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iuser.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CD34B69E-6117-4eaf-B5B4-F9FD659BF00D}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D465B936-C361-4417-9AC5-35167066F84B}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9F99C6B-A3A6-11D4-AF64-444553546170}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}" refers to invalid object "C:\PROGRA~1\COMMON~1\aolshare\pictures\YGPPIC~4.DLL ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}" refers to invalid object "C:\Program Files\America Online 9.0\ebrowser.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E3852604-B619-11d6-94EC-00047521F020}" refers to invalid object "C:\Program Files\America Online 9.0\Media\NmpXChat\nmpxchat.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}" refers to invalid object "C:\Program Files\Common Files\InstallShield\IScript\iscript.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E981D791-F499-4837-A483-5AB22F1C548F}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}" refers to invalid object "C:\Program Files\America Online 9.0\AMH.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}" refers to invalid object "C:\Program Files\America Online 9.0\Media\Phobos.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F091791F-D50D-4ace-9D82-05C42DBB9897}" refers to invalid object "C:\Program Files\America Online 9.0\MyCalendar.dll ". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}" refers to invalid object "C:\Program Files\Common Files\InstallShield\Professional\RunTime\objectps.dll ". Action Taken: No Action Taken.
Entry "HKCR\CoachDM.WebCoachDownload" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347} ". Action Taken: No Action Taken.
Entry "HKCR\CoachDM.WebCoachDownload.1" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.ImageListCtrl" refers to invalid object "{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.ImageListCtrl.1" refers to invalid object "{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.ListViewCtrl" refers to invalid object "{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.ListViewCtrl.1" refers to invalid object "{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.SBarCtrl" refers to invalid object "{6B7E638F-850A-101B-AFC0-4210102A8DA7} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.SBarCtrl.1" refers to invalid object "{6B7E638F-850A-101B-AFC0-4210102A8DA7} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.Slider" refers to invalid object "{373FF7F0-EB8B-11CD-8820-08002B2F4F5A} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.Slider.1" refers to invalid object "{373FF7F0-EB8B-11CD-8820-08002B2F4F5A} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.TabStrip" refers to invalid object "{9ED94440-E5E8-101B-B9B5-444553540000} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.TabStrip.1" refers to invalid object "{9ED94440-E5E8-101B-B9B5-444553540000} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.Toolbar" refers to invalid object "{612A8624-0FB3-11CE-8747-524153480004} ". Action Taken: No Action Taken.
Entry "HKCR\COMCTL.Toolbar.1" refers to invalid object "{612A8624-0FB3-11CE-8747-524153480004} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.Animation" refers to invalid object "{B09DE715-87C1-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.Animation.2" refers to invalid object "{B09DE715-87C1-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.DTPicker" refers to invalid object "{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.DTPicker.2" refers to invalid object "{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.FlatScrollBar" refers to invalid object "{FE38753A-44A3-11D1-B5B7-0000C09000C4} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.FlatScrollBar.2" refers to invalid object "{FE38753A-44A3-11D1-B5B7-0000C09000C4} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.MonthView" refers to invalid object "{232E456A-87C3-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.MonthView.2" refers to invalid object "{232E456A-87C3-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.UpDown" refers to invalid object "{603C7E80-87C2-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\MSComCtl2.UpDown.2" refers to invalid object "{603C7E80-87C2-11D1-8BE3-0000F8754DA1} ". Action Taken: No Action Taken.
Entry "HKCR\Pugi.Reactivator" refers to invalid object "{6C31790D-1EDF-4b05-83DC-925B3A8E2318} ". Action Taken: No Action Taken.
Entry "HKCR\Pugi.Reactivator.1" refers to invalid object "{6C31790D-1EDF-4b05-83DC-925B3A8E2318} ". Action Taken: No Action Taken.
Entry "HKCR\TabDlg.SSTab" refers to invalid object "{BDC217C5-ED16-11CD-956C-0000C04E4C0A} ". Action Taken: No Action Taken.
Entry "HKCR\TabDlg.SSTab.1" refers to invalid object "{BDC217C5-ED16-11CD-956C-0000C04E4C0A} ". Action Taken: No Action Taken.
File C:\WINDOWS\system32\msclock32.dll tagged as "not-a-virus:AdWare.NaviPromo.c ". Action Taken: No Action Taken.
File C:\WINDOWS\system32\msplock32.dll tagged as "not-a-virus:AdWare.NaviPromo.c ". Action Taken: No Action Taken.
File C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe tagged as "not-a-virus:AdWare.WinAD ". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000209.dll tagged as "not-a-virus:****-Dialer.Win32.InstantAccess ". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msclock32.dll tagged as "not-a-virus:AdWare.NaviPromo.c ". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msplock32.dll tagged as "not-a-virus:AdWare.NaviPromo.c ". Action Taken: No Action Taken.


BTW, the results indicated that there were 7 viruses found, if that helps. Also, there were 157 errrors, wondering if these are things I need to correct as well...

Thanks.

 

Hi Jae,

Actually only two files there that need to go.

C:\WINDOWS\SYSTEM32\msclock32.dll
C:\WINDOWS\SYSTEM32\msplock32.dll

There's one in System Restore that can be purged by toggling SR off and back on. The rest are registry entries only. Those could be cleaned out with RegSeeker.

The way I use it is to do a 'clean registry' scan, check the backup box when it finishes, select all and delete. Then check installed programs, Add/Remove Programs applet, basic Windows applications, etc, to make sure everything is still working as it should. If RegSeeker breaks something, you can replace the backup and be back where you started. If all is well, run another scan and do the same. Repeat until it comes up clean.

Let me know if the above helps.

 

Dave,

I followed your instructions from the last post. My computer is running just a tad bit faster than it was, but still I'm experiencing a lot of freeze-ups when I run a program, and am still having to "end task" pretty often. Here's the latest MWAV log. Will you take a look at it and tell me if there's anything I need to fix... Thanks.

Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll ". Action Taken: No Action Taken.
File C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe tagged as "not-a-virus:AdWare.WinAD ". Action Taken: No Action Taken.

 

Use RegSeeker's 'Find in registry feature to search for this string.

88E729D6-BDC1-11D1-BD2A-00C04FB9603F

You should find an entry in HKCR\CLSID. Delete it!

Open My Computer and right click Local Disk C:, then choose properties. If Indexing is checked, uncheck it and click apply. Apply to all folders and sub-folders. Then click tools and defragment the drive.

If this is a stand-alone computer (not networked), click Tools on any Windows Explorer menu, then Folder Options. Click the view tab and uncheck 'Automatically search for network folders and printers'. Click OK to close the window.

Reboot and let us know if it's acting any better.

 

Same Problem

Dear Dave,
I have the same problem as Jae. I found this discussion you are having with him on a Google search. This AUBrowse pop-up is driving me nuts. I comes on every day at about 2:00. I can not tell what it is doing, if anything. A friend told me to get HijackThis, but I have no idea how to read the log. I see that you started this thread with Jae's HJT log.

Could you please help me too?
Thank you in advance,
Leanna

 

Welcome to WindowsBBS Leanna!

I would be more than happy to 'try' to help with those popups. Please read the Welcome sticky at the top of this forum, follow the suggestions there for running Ad-aware, Spybot and an online virus scan if you haven't already, then download HijackThis and post a log.

Just so you know, I will be moving this to a new topic of it's own named AUBrowse popups once you post a log.

 

Aubrowse popups

Hii Dave. I have the same problem. Every now and then I receive an Aubrowse pop-up. I followed the same steps as you discussed with Jae but
didn't get rid of the popups yet. I don't think my computer runs any slower though. I am not sure, if it is harmless or not. Any idea?

Thanks
afarro,

 

AUBrowse popups

I read the Sticky and did the scans. It took me a few days because I ran each 2 and 3 times. AdAware, Panda, and eTrust gave me a clean bill.

Spybot kept finding the same items and saying it fixed them but when I scanned again the same items were listed:

DSO Exploit
Data source object exploit
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\1004!=W=3

Data source object exploit
HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\1004!=W=3

---------------------------
RAV AntiVirus Activescan

Incident Status Location

Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/ExactSearch No disinfected C:\DOCUME~1\Leanna\LOCALS~1\Temp\blank.gif
Spyware:Spyware/MarketScore No disinfected C:\Documents and Settings\Leanna\Local Settings\Temp\~os41.tmp\ossproxy.exe
Spyware:Spyware/MarketScore No disinfected C:\Documents and Settings\Leanna\Local Settings\Temp\~os41.tmp\rk.bin
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
-------------------------------------

BitDefender found several items that it eliminated, but these 6 could not be:

C:\SystemVolumeInformation\_restore{B3768032-BAQA-4E5D-BF30-83E44C58864}\RP239\A0035626.exe
C:\SystemVolumeInformation\_restore{B3768032-BAQA-4E5D-BF30-83E44C58864}\RP242\A0039125.exe
C:\SystemVolumeInformation\_restore{B3768032-BAQA-4E5D-BF30-83E44C58864}\RP242\A0039496.exe
C:\SystemVolumeInformation\_restore{B3768032-BAQA-4E5D-BF30-83E44C58864}\RP301\A0058773.exe
E:\SystemVolumeInformation\_restore{B3768032-BAQA-4E5D-BF30-83E44C58864}\RP239\A0035640.exe
E:\SystemVolumeInformation\_restore{B3768032-BAQA-4E5D-BF30-83E44C58864}\RP252\A0043353.exe

note: E is an external back-up drive.
-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:08:24 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\DOCUME~1\Leanna\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.conchi.us/Leanna.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "aim.session.screenname ", "leannac ");
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.download.dir ", "C:\\Documents and Settings\\Leanna\\Desktop ");
user_pref( "browser.download.save_converter_index ", 0);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "editor.history_title_0 ", "Conchi's Belllydance information ");
us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe "
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\Leanna\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /startupscan
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.653873099618593&file=stamps.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

I am also getting the auBrowse popup. Has anyone succesfully removed this popup.

 

Aubrowse popups

I ran escan Anti-virus (by MWTI) + registery mechanics (by Pctools) on my computer. Did the repairs and finally, everything came clean except for a file in sysem32 folder: KILLAPPS.EXE. Here is the log:

"File C:\WINDOWS\SYSTEM32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken "

It seems this file is harmless by itself but it may be used to deactivate firewalls or anti-virus programs for possible attacks.

Anyway after a while one of those Aubrowses hit me again. So as my last action I removed the KILLAPPS program and it is yet to see if it has helped or not.

 

Aubrowse popups

Well, unsuccessful again. I think Escan, Norton, Spyware doctor, spybot won't do any good against this popup. Guess we have to wait till somebody is successful in removing it.

Afarro