zipzap - hijack this logfile included

Hi Dave,
I have the same problem lots of users have with zipzappromos pop-up windows . I have Ad-Aware, Spybot and SpyWareBlaster, but it doesn' t help. I heard of hijack this, so I run it and found something according to instant access and removed it. However, the problem remains. Here is a log file of hijack this:

Logfile of HijackThis v1.99.0
Scan saved at 2:29:03 μμ, on 19/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\Linksts.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\DOCUME~1\USER\LOCALS~1\Temp\Rar$EX00.438\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.gr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I suspect these 2 dark orange "hijackers ", since everything seems ok.

I also run regsearch and found these:
REGEDIT4

; Registry Search by Bobbi Flekman
; Version: 1.0.1.0

; Results at 19/2/2005 4:32:30 μμ for strings:
; 'cmdani'
; 'instant access'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Instant Access]

I also run SpyWareDoctor and here is what I got:
Scan Results:
scan start: 19/2/2005 5:06:45 ii
scan stop: 19/2/2005 5:09:33 ii
scanned items: 69975
found items: 8
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

Infection Name Location Risk
SaveNow multiple Medium
Advanced Searchbar HKCR\TypeLib\{FE1CB30A-6ED9-4C62-9A8A-7DE9FA234608} Medium
Advanced Searchbar HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping##{43F02779-6D88-4958-8AD3-83C12D86ADC7} Medium
akamai.downloadv3.com HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448 High
FUNWEBPRODUCTS HKCR\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} Medium
FUNWEBPRODUCTS HKCU\Software\FunWebProducts Medium
Advanced Searchbar {43F02779-6D88-4958-8AD3-83C12D86ADC7} Medium
FUNWEBPRODUCTS {147A976E-EEE1-4377-8EA7-4716E4CDD239} Medium

What can I do to remove zipzap?
Thanx in advance, Mike

PS: I noticed that the pop-ups only work with IE and not with Firefox. Is that true?

 

Please download the List Installed Programs script from here, run it and post it's log.

 

Dave thanx for your help, but I downloaded Microsoft AntiSpyWare Beta and it removed the pop-ups! However, the SpyWareDoctror still finds the other minor threats in the previous log, so I have here the list of the installed programms:
INSTALLED SOFTWARE (104) - USER-BZXNF1P42P - 20/2/2005 11:16:36 πμ

Ad-Aware SE Personal
Adobe Acrobat 5.0 Ver: 5.0
Adobe Photoshop 7.0 Ver: 7.0
ArcSoft Panorama Maker 3.0
Calculator Powertoy for Windows XP Ver: 1.00.0001 Installed: 12/1/2005
ccCommon Ver: 103.0.2.10 Installed: 18/12/2004
Chessmaster 8000
Chicken Invaders 2 v2.40
Colin McRae Rally 2
Creative MediaSource
Duke Nukem - Manhattan Project Ver: 1.0.0 Installed: 10/9/2004
Duke Nukem - Manhattan Project Ver: 1.0.0 Installed: 10/9/2004
DVD Decrypter (Remove Only)
Easy CD & DVD Creator 6 Ver: 6.1.1.7 Installed: 10/9/2004
Far Cry Ver: 1.00.0000 Installed: 18/11/2004
Far Cry Ver: 1.00.0000 Installed: 18/11/2004
FotoStation Easy
Half-Life
HexDump plug-in for Ad-Aware SE
Hitman 2: Silent Assassin
InCD (Ahead Software)
Intel(R) PRO Network Adapters and Drivers
Internet Worm Protection Ver: 11.0.2 Installed: 12/1/2005
iownce
Java 2 Runtime Environment, SE v1.4.2_06 Ver: 1.4.2_06 Installed: 12/12/2004
L&H TTS3000 British English
LiveReg (Symantec Corporation) Ver: 3.0.0
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Max Payne
Messenger Plus! 3
Microsoft AntiSpyware Ver: 1.0 Installed: 19/2/2005
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.1 Ver: 4.10.0851 Installed: 10/9/2004
Microsoft IntelliType Pro 2.2 Ver: 2.20.447.0 Installed: 10/9/2004
Microsoft Midtown Madness 2
Microsoft Office XP Professional with FrontPage Ver: 10.0.2627.01 Installed: 10/9/2004
Mozilla Firefox (1.0) Ver: 1.0 (en-US)
MSN Messenger 7.0 Ver: 7.0.0425 Installed: 23/1/2005
MSRedist Ver: 1.0.0.0 Installed: 12/1/2005
Nero 6
NeroVision Express 2
Nikon View 5
Nokia Audio Manager
Nokia CD Manager
NOMAD MuVo TX
Norton AntiVirus 2005 Ver: 11.0.2 Installed: 12/1/2005
Norton AntiVirus Parent MSI Ver: 10.0.0 Installed: 12/1/2005
Norton Ghost 9.0 Ver: 9.0.2 Installed: 26/1/2005
Norton SystemWorks Ver: 1.0.0 Installed: 12/1/2005
Norton SystemWorks 2005 Premier Ver: 8.02.6 Installed: 12/1/2005
Norton SystemWorks 2005 Premier (Symantec Corporation) Ver: 8.00.99
Norton Utilities Ver: 18.0.0 Installed: 12/1/2005
Norton WMI Update Ver: 2005.1.0.111 Installed: 12/1/2005
Norton WMI Update Ver: 2005.1.2.20 Installed: 7/11/2004
NSW_DRM_COLLECTION Ver: 1.0.0 Installed: 12/1/2005
NVIDIA Drivers
POD-Bot 2.5
PowerDVD
QuickTime
RealPlayer
Registrar Lite 2.00
Shockwave Flash
SideWinder Force Feedback Wheel (USB)
Sound Blaster Audigy 2
SPBBC Ver: 1.00.0000 Installed: 18/12/2004
Spybot - Search & Destroy 1.3 Ver: 1.3
Spyware Doctor 3.1 Ver: 3.1
SpywareBlaster v3.2 Ver: 3.2.0
Steam
Sygate Personal Firewall Ver: 5.5.2710 Installed: 26/1/2005
Symantec Network Driver Update Ver: 5.3.2 Installed: 6/11/2004
Symantec Network Drivers Update Ver: 5.4.4.17 Installed: 3/2/2005
Symantec Script Blocking Installer Ver: 11.0.2 Installed: 12/1/2005
SymNet Ver: 5.4.2.17 Installed: 18/12/2004
The Bat! (Professional Edition) Ver: 3.0.1.33 Installed: 5/2/2005
Timershot Powertoy for Windows XP Ver: 1.00.0001 Installed: 12/1/2005
Tweak UI
Tweak-SE plug-in for Ad-Aware SE
Virtual Desktop Manager Powertoy for Windows XP Ver: 1.00.0001 Installed: 12/1/2005
VX2 Cleaner plug-in for Ad-Aware SE
WebFldrs XP Ver: 9.50.6513 Installed: 8/3/2004
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2 Ver: 20040904.061641
WinMX
WinRAR archiver
Worms World Party
Άμεση επιδιόρθωση για Windows XP - KB834707 Ver: 20040929.110854
Άμεση επιδιόρθωση για Windows XP - KB867282 Ver: 20050127.090417
Άμεση επιδιόρθωση για Windows XP - KB873333 Ver: 20050114.005213
Άμεση επιδιόρθωση για Windows XP - KB873339 Ver: 20041117.092459
Άμεση επιδιόρθωση για Windows XP - KB885250 Ver: 20050118.202711
Άμεση επιδιόρθωση για Windows XP - KB885626 Ver: 20040909.122822
Άμεση επιδιόρθωση για Windows XP - KB885835 Ver: 20041027.181713
Άμεση επιδιόρθωση για Windows XP - KB885836 Ver: 20041028.173203
Άμεση επιδιόρθωση για Windows XP - KB885884 Ver: 20040924.025457
Άμεση επιδιόρθωση για Windows XP - KB886185 Ver: 20041021.090540
Άμεση επιδιόρθωση για Windows XP - KB887472 Ver: 20041014.162858
Άμεση επιδιόρθωση για Windows XP - KB888113 Ver: 20041116.131036
Άμεση επιδιόρθωση για Windows XP - KB888302 Ver: 20041207.111426
Άμεση επιδιόρθωση για Windows XP - KB890047 Ver: 20041221.124506
Άμεση επιδιόρθωση για Windows XP - KB890175 Ver: 20041201.233338
Άμεση επιδιόρθωση για Windows XP - KB891781 Ver: 20050110.165439
ΕΛΛΑΔΑ '99

the last elements are the upgrades of win xp


Oh, do you know what these are ?O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

Thanx again in advance.

 

Search for iownce with RegSearch and post the log.

Both of the entries you questioned are related to Nvidia graphics card, and are not required at startup. You can fix those entries with HJT.

 

Here is the log by regsearch:
REGEDIT4

; Registry Search by Bobbi Flekman
; Version: 1.0.1.0

; Results at 20/2/2005 8:02:59 μμ for strings:
; 'iownce'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iownce "= "c:\\windows\\system32\\iownce.exe -start "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iownce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iownce]
"UninstallString "= "c:\\windows\\system32\\iownce.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iownce]
"DisplayName "= "iownce "

 

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\iownce.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Close the Killbox.



Download and install Reglite. Open and copy/paste the following string in the address window then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The forum format puts a space in the word current that you will need to edit out before clicking Go.

Right click the "iownce "= "c:\\windows\\system32\\iownce.exe -start" value in the right pane and delete. Then copy/paste the following.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iownce

Right click the iownce key in the left pane and delete.

Reboot.

If you're comfortable with regedit, remove those entries found in the Spyware Doctor scan. You can also manually navigate to those keys with RegLite.

 

Hi Dave, I just cannot find the entries you told me. Here is what I see at reglite:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\(default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ccApp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CTDVDDet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CTHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CTSysVol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\gcasServ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\InCD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\IntelliType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ISDN Monitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MessengerPlus3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NeroFilterCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Norton Ghost 9.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NvCplDaemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NvMediaCenter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\nwiz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\POINTER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RoxioAudioCentral
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RoxioDragToDisc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RoxioEngineUtility
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SideWinderTrayV4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SmcService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Symantec NetDriver Monitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TkBellExe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UpdReg

what can I do?
Except for that, 5 minutes ago my pc spontaneously restarted and the microsoft report told me about some badly installed drivers. I have to note that I have not installed new drivers in the last couple of days and, although sometimes the pc just freezes (and I have to unplug and re-plug), it 's the first time I saw this! Can you imagine what the problem might be?

PS: I suspect that the voltage is not very stable... Is there any chance the problem was caused by this?

Thanx again in advance, Mike

Oh, and Norton detected Reglite and Regsearch as severe threats before I run them.

 

wait, sth is going on...
I 'll let you know

 

Hi Dave it 's ok, I removed iownce, but SpyWareDoctor still detects the older threats. What 's wrong?

Except for that, 5 minutes ago my pc spontaneously restarted and the microsoft report told me about some badly installed drivers(this happened before I did anything of what you told me to). I have to note that I have not installed new drivers in the last couple of days and, although sometimes the pc just freezes (and I have to unplug and re-plug), it 's the first time I saw this! Can you imagine what the problem might be?

PS: I suspect that the voltage is not very stable... Is there any chance the problem was caused by this?

Thanx again in advance, Mike

 

Download RegSeeker and extract to it's own folder. Open and click Find in registry. Copy and paste the following entries, one-by-one, into the dialog box. Check the boxes for HKEY_USERS and Match whole word (in addition to what is already checked), then click search.

{FE1CB30A-6ED9-4C62-9A8A-7DE9FA234608}

{43F02779-6D88-4958-8AD3-83C12D86ADC7}

akamai.downloadv3.com

BD8400524261DF1ADBD8860F22C 9CE2B97471448

{147A976E-EEE1-4377-8EA7-4716E4CDD239}

FunWebProducts

Verify that the Backup before deletion box in the lower left corner is checked and you should be safe selecting all and deleting (right click any entry after clicking select all) everything found. Reboot. Let us know if you encounter any problems.


Right click My Computer and select Properties. Click the Hardware tab, then device manager. See any yellow exclamations next to anything?

You should also clear your System Restore points. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out. Then scan your PC with RAV. If any files are infected, click the report button then copy and paste it here. If all is clean, re-enable System Restore and create a manual restore point.

 

Thanx a lot

Really thanx Dave, the malwares were removed...
I run SpyWareDoctor and for the first time, it found nothing!!!
However, I cannot scan with RAV the whole disk...

Except for that, 5 minutes ago my pc spontaneously restarted and the microsoft report told me about some badly installed drivers. I have to note that I have not installed new drivers in the last couple of days and, although sometimes the pc just freezes (and I have to unplug and re-plug), it 's the first time I saw this! Can you imagine what the problem might be?
PS: I suspect that the voltage is not very stable... Is there any chance the problem was caused by this?
That reffers to yasterday... Can you imagine what might be wrong?

Thanx again Dave for your precious help
Mike

 

Good to hear you came up clean.

If so, you may need to update/reinstall some drivers. Let us know what you find.

Why do you suspect a voltage problem?

 

No exclamation marks, everything 's ok!
Except XofSpy 's detecting 3 threats, one of which is:
" Troj/Agent-BN is a downloader Trojan for the Windows platform. Troj/Agent-BN connects to a preconfigured internet site and downloads code "
at Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\search-soft.net


I suspected a voltage problem because once, just after a black out when I turned on my pc, it froze! But that might also have happened cause of the spyware...
However after the removal of zipzap my pc has never frozen.
Do you consider the previous trojan is a threat?
Thanx again, and again and again, Mike

 

Post a new HJT log with version 1.99.1 from here.

 

Logfile of HijackThis v1.99.1
Scan saved at 2:21:01 μμ, on 23/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\Linksts.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUMENTS AND SETTINGS\USER\ΕΠΙΦΆΝΕΙΑ ΕΡΓΑΣΊΑΣ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F14122F1-5179-4E6F-8F21-4165C0ACC5AC}: NameServer = 194.30.220.114 194.30.220.117
O20 - Winlogon Notify: rainit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Download the attached RemoveDomains.zip and extract to it's own folder. Close all IE windows, double click the RemoveDomains.reg and merge, then the ResetDomains.reg and merge. Let us know if XofSpy still detects a threat and where.

 

where is the attached file???
By the way, I don't use IE anymore, I prefer Firefox

 

Don't know why the attachment didn't stick. Trying again. If it wants to save as attachment.php, simply rename it to RemoveDomains.zip

 

Great! the "trojan" was removed!
XoftSpy still detects
interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc}
interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff}
as Aornum Registry KMalware.
Did you create the removedomains? You don 't have to do it again, I can try reglite etc...
But..., is it neccessery to remove them? Since they don 't harm me and a bunch of good antispywares don 't detect them, are they really a threat?
Thank you sooooooo much
Mike

 

That's good news! No, it's not necessary to remove, just a good idea to cleanup the registry (and get rid of the annoying report from XoftSpy....lol). I'd suggest running RegSeeker in the clean registry mode and remove everything it finds, making sure the backup box is checked. Re-run again and again till you get a clean scan. Reboot and scan again. Then, if those entries are still found by XoftSpy, remove them with the find in registry function.

Yes, I wrote the reg files.

Happy to help.

Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Still in Spybot, click tools in the left pane, then resident and check the box for SD Helper. Then click IE tweaks and at least lock the HOSTS file. Then download and install IESpyads.

That will give you an added layer of protection against unwanted parasites.