ZipZap/Instant Access - Please help :)

Hi, all. I've been through the related threads and tried to figure this out, but so far, it's beating me. I get assorted ZipZapPromos every few minutes while online. I work through the Spybot/Ad-Aware process and it looks like I've finally gotten rid of it (nothing in the last half hour!), and as soon as I reboot, it's back! I've run SB/AA at least 5-6 times today, even crossed my fingers and fixed two files I saw in HJT that someone else had been told to remove...

I'm using:
McAffee Virus Scan v4.5.1, virus def 4.0.4440 (3/4/05 update - most recent available.)
Spybot S&D 1.3 was downloaded just yesterday, and upgraded again today.
Ad-Aware SE Personal build 1.05 was downloaded and updated today.
HiJackThis v1.99.1

I've already downloaded Installed Programs & Killbox; just not sure what to do next to get rid of this thing!

From Installed Programs:
INSTALLED SOFTWARE (69) - SUZI - 3/6/2005 4:27:15 PM

AceHTML 5 Freeware
Ad-Aware SE Personal
Adobe Acrobat 5.0 Ver: 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe PhotoDeluxe 2.0
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
Canon CanoScan Toolbox 4.0
CanoScan LiDE20,30 Manual
Free Solitaire
Free Weather Program
Google Toolbar for Internet Explorer
HijackThis 1.99.1 Ver: 1.99.1
HTML Executable Viewer 1.1.0
Instant Access
Intel(R) PRO Network Adapters and Drivers
Intel® Create & Share® Software
InterActual Player
McAfee VirusScan Ver: 4.5.1 Installed: 5/22/2004
Microsoft Data Access Components KB870669
Microsoft MapPoint North America 2004 Ver: 11.00.18.1900 Installed: 12/30/2004
Microsoft Office 2000 SR-1 Standard Ver: 9.00.3821 Installed: 12/21/2002
mneoct
MSP3880-U 56K PCI Modem
Need For Speed III
Netscape (7.02)
Nolo's Encyclopedia of Everyday Law
NVIDIA Display Driver
OLYMPUS CAMEDIA Master 4.0
OmniPage SE Ver: 11.00.0001 Installed: 2/28/2003
PC-Linq
PKZIP Reader Ver: 5.30.0005 Installed: 4/17/2004
Quicken Basic 99
Quicken WillMaker Plus 2004
QuickTime
SafeCast Shared Components
SBC Yahoo! Dial Utilities
Shockwave
Shockwave Flash
SmartDraw 7 Trial Edition Ver: 7.00
Spybot - Search & Destroy 1.3 Ver: 1.3
TurboTax Deluxe 2003
USB Internet Keyboard
Viewpoint Media Player (Remove Only)
WebFldrs XP Ver: 9.50.5318 Installed: 4/13/2002
WexTech AnswerWorks Ver: 1.00.000
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
Yahoo! Companion
Yahoo! Internet Mail
Yahoo! Login
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Parental Controls
Yahoo! Photos Easy Upload Tool 1v4

From HiJack This:
Logfile of HijackThis v1.99.1
Scan saved at 4:13:48 PM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Network Associates\VirusScan\avsynmgr.exe
G:\WINDOWS\System32\drivers\CDAC11BA.EXE
G:\WINDOWS\System32\nvsvc32.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\fxssvc.exe
G:\Program Files\Network Associates\VirusScan\VsStat.exe
G:\Program Files\Network Associates\VirusScan\Vshwin32.exe
G:\Program Files\ScanSoft\OmniPageSE\opware32.exe
G:\WINDOWS\System32\USB_Kbd\Versato.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Messenger\msmsgs.exe
G:\QUICKENW\QWDLLS.EXE
G:\Documents and Settings\Suzi Zylla\Application Data\Map Maker\MMManager.exe
G:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\Network Associates\VirusScan\Webscanx.exe
G:\Program Files\Network Associates\VirusScan\Avconsol.exe
G:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Documents and Settings\Suzi Zylla\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alltheinternet.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f410.mail.yahoo.com/ym/login?.rand=7rjidql68j941
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.alltheinternet.com/ "); (G:\Documents and Settings\Suzi Zylla\Application Data\Mozilla\Profiles\default\6og2phbe.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://G%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (G:\Documents and Settings\Suzi Zylla\Application Data\Mozilla\Profiles\default\6og2phbe.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - G:\Program Files\Yahoo!\Common\ycheckh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] G:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Versato] G:\WINDOWS\System32\USB_Kbd\Versato.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O4 - Startup: SunClock5.lnk = G:\Documents and Settings\Suzi Zylla\Application Data\Map Maker\MMManager.exe
O4 - Global Startup: Billminder.lnk = G:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = G:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://g:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - G:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - G:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - G:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - G:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EC91F55-8559-4510-B242-1CF81A5179D2}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - G:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - G:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: McShield - Unknown owner - G:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe

Any help would be GREATLY appreciated!
Suzi

 

Welcome to WindowsBBS spritesuzi

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in mneoct, wait, hit ok. Then when wordpad opens, copy that back here please.

 

as requested...thanks, Dave.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mneoct" 3/6/2005 9:25:16 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mneoct "= "g:\\windows\\system32\\mneoct.exe -start "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mneoct]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mneoct]
"UninstallString "= "g:\\windows\\system32\\mneoct.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mneoct]
"DisplayName "= "mneoct "

 

Save this to text where you can access it in safe mode.

Check for updates to Ad-aware.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\mneoct.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Copy the next filepath and paste it in the box, and repeat the above steps. When all of the below filepaths are done, close the Killbox.

C:\WINDOWS\Downlo~1\EGDACCESS.inf
C:\WINDOWS\system32\EGDACCESS_1057.dll



Download and install Reglite.


Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.alltheinternet.com/ "); (G:\Documents and Settings\Suzi Zylla\Application Data\Mozilla\Profiles\default\6og2phbe.slt\prefs.j s)
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars...erxsigned33.cab



Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to your user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.


Open RegLite and copy/paste the following string in the address window then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The forum format puts a space in the word current that you will need to edit out before clicking Go.

Right click the "mneoct "= "c:\\windows\\system32\\mneoct.exe -start" value in the right pane and delete. Then copy/paste the following.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mneoct

Right click the mneoct key in the left pane and delete.

Then paste,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access

click go and delete the Instant Access key in the left pane.

Exit Reglite.


Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.

Open Ad-aware and run in full scan mode. Delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log. Let us know if the popups stop.

 

Hi, Dave!

RAV found no viruses, just two suspicious files:
Scan started at 3/7/2005 7:46:57 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
G:\Documents and Settings\Suzi Zylla\Desktop\sunzip.exe->(ZipSfx)->SunClock5.txt - IRC/Generic* -> Suspicious
G:\Program Files\Map Maker\SunClock5\SunClock5.txt - IRC/Generic* -> Suspicious

Scanned
============================
Objects: 48845
Directories: 4399
Archives: 5565
Size(Kb): 1607218
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 2
Disinfected files: 0
Mail files: 64

SunClock is a cool little app that shows you daylight/nighttime hours across the planet...but I'll kill it if you think it needs to go!

Final HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:21:31 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\drivers\CDAC11BA.EXE
G:\WINDOWS\System32\nvsvc32.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\fxssvc.exe
G:\Program Files\ScanSoft\OmniPageSE\opware32.exe
G:\WINDOWS\System32\USB_Kbd\Versato.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Messenger\msmsgs.exe
G:\QUICKENW\QWDLLS.EXE
G:\Documents and Settings\Suzi Zylla\Application Data\Map Maker\MMManager.exe
G:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\Network Associates\VirusScan\avsynmgr.exe
G:\Program Files\Network Associates\VirusScan\VsStat.exe
G:\Program Files\Network Associates\VirusScan\Vshwin32.exe
G:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
G:\Program Files\Network Associates\VirusScan\Webscanx.exe
G:\Program Files\Network Associates\VirusScan\Avconsol.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\WINDOWS\system32\notepad.exe
G:\Documents and Settings\Suzi Zylla\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f410.mail.yahoo.com/ym/login?.rand=7rjidql68j941
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (G:\Documents and Settings\Suzi Zylla\Application Data\Mozilla\Profiles\default\6og2phbe.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "http://www.google.com/ "); (G:\Documents and Settings\Suzi Zylla\Application Data\Mozilla\Profiles\default\6og2phbe.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - G:\Program Files\Yahoo!\Common\ycheckh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] G:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Versato] G:\WINDOWS\System32\USB_Kbd\Versato.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: SunClock5.lnk = G:\Documents and Settings\Suzi Zylla\Application Data\Map Maker\MMManager.exe
O4 - Global Startup: Billminder.lnk = G:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = G:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://g:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - G:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - G:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - G:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - G:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: G:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EC91F55-8559-4510-B242-1CF81A5179D2}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - G:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - G:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: McShield - Unknown owner - G:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe

No popups since restarting...THANK YOU!!! Hoping that doesn't change - I'll let you know.

I really appreciate you taking time to help those of us out here in the woods... lost among the trees of confusion

Suzi

 

Looks good. Re-enable System Restore and create a manual restore point. Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download IESpyad, double click to extract, open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

That will give you some added layers of protection against unwanted parasites.

That sunclock file looks harmless, but would you send me a copy of it here please?

Happy to help.

 

Hello spritesuzi,

SR now enabled. silly question: How do I create a manual restore point? I don't see that in SR...
When you re-enabled SR, the system should have created an initial restore point.

To check, Start > all Programs > Accessories > system tools > system Restore > in the Welcome to ... front page > "restore my computer to an earlier time" > next.

You'll see a calendar, the bold dates are dates on which the system creates a restore point. Then cancel or back.

If no restore point - no bold date, to create a manual point > tick "create a restore point ". Give it a description.

For info on System Restore > Help and Support in the Control Panel > type in System Restore.

Regards - Charles

 

Sunclock appears to be safe enough, and I agree, a cool little app.

First I've heard of a slowdown due to using those protections. Undo them, then redo one at a time to see if you can track down the culprit. The IESpyad folder has a file named ie-ads-uninst.reg, which when merged into the registry, will remove the entries placed there, which are sites added to the Resticted Sites Zone of Internet Explorer.

Lets us know what you find out, please.