• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
greekguy

PC running slow...makin' me angry

17 posts in this topic

My computer has been running slow for about a week...i run adaware and it says it's clean...i run spybot and get rid of the little stragglers i pick up though out the day...i run AVG and it says i have trojans but after the scan it automatically says cant heal or something or other and i end up not being able to do anything about it through AVG...i downloaded Hijackthis and have a logfile which i will post in hopes someone can help...thanks in advance. Just a question...should i completely do away with internet explorer and use Netscape or something else? and i know about the system restore thing but i dont know quite how the timing works...when do i do it?

 

Logfile of HijackThis v1.98.0

Scan saved at 9:36:48 PM, on 7/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\Documents and Settings\Frank\Desktop\hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

O1 - Hosts: comments (such as these) may be inserted on individual

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://odinvn.ud-dial.biz/1/dexUK627.exe

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaymsg.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

Share this post


Link to post
Share on other sites

also, whenever i use IE as my browser and click on it to ge tto my homepage (google) another popup comes up, im sure this is part of the spyware but i just thought id be thorough in explaining whats wrong. Nothing else is wrong per se, except that the PC has gotten alot slower. Everything works but it takes 5 times longer to load stuff.

Share this post


Link to post
Share on other sites

Hi...i know i shouldn't be all asshole-y and complain. But i've noticed people who have just posted problems and have gotten answers within minutes or hours. Again, i'm not trying to be a dick, i'm just telling it how i see it. i hope no one gets angry with me. Only calling it like i see it.

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

 

O1 - Hosts: comments (such as these) may be inserted on individual

 

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

 

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

 

O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://odinvn.ud-dial.biz/1/dexUK627.exe

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/awaymsg.cab

Reboot and delete

 

files

C:\WINDOWS\ARUpdate.exe

 

 

These may be hidden files. See HERE for how to show hidden files.

 

Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup", to stop something running. While this is OK, when looking for malware, it is possible that you have disabled it, and it will not then show up in the Hijack this log. Before posting a fresh log, would you please open MSConfig, and choose the "normal startup" option. Then everything will be running, and if anything needs removal, we can give appropriate advice.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

checked and fixed...when i rebooted and looked for c:\windows\arupdate.exe i couldnt find it but before before that, right when windows came one AdAware caught something called arupdate and asked me if i wanted to accept or block; i blocked it cause i thought it was bad. It's still a tad slower than it should be but here is the new log:

 

Logfile of HijackThis v1.98.0

Scan saved at 4:47:24 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

C:\HJT\hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

 

BTW, thnx for your help

Share this post


Link to post
Share on other sites

I decided to run TrojanHunter just in case and it said:

 

Found trojan file: C:\Documents and Settings\Frank\Local Settings\Temp\THI38F7.tmp\twaintec.dll (Bispy.100)

Found trojan file: C:\Documents and Settings\Frank\Local Settings\Temp\THIBD0.tmp\twaintec.dll (Bispy.100)

Found trojan file: C:\Documents and Settings\Frank\Local Settings\Temp\THID37.tmp\twaintec.dll (Bispy.100)

Found trojan file: C:\Program Files\STC\April0604_loader.exe (Adware.SecondThought.102)

Found trojan file: C:\WINDOWS\2_0_1browserhelper2.dll (Adware.Bhx.100)

Found trojan file: C:\WINDOWS\fash.exe (Frks.100)

Found trojan file: C:\WINDOWS\LastGood\twaintec.dll (Bispy.100)

Found possible trojan file: C:\WINDOWS\system32\stcloader.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)

Found trojan file: C:\WINDOWS\twaintec.dll (Bispy.100)

Warning: Unable to unpack UPX-packed file E:\AdbeRdr60_enu_full.exe (Add to ignore list)

8 trojan files found

1 possible trojan files found

 

 

At the end it asked me if I want to fix the "problems", so i did. Do you know if this actually healed everything?...in my previous post i have the logfile of HJT after i fixed the things u told me to fix....is everything all right?

Share this post


Link to post
Share on other sites

Well the Adroar update is still in your log

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

Fix this entry, reboot, and delete the file C:\WINDOWS\ARUpdate.exe

 

This entry shows that Msconfig is running

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Please reboot into "normal" mode, before posting your next Hijack this log, as then all processes and startups will be running.

Share this post


Link to post
Share on other sites

I checked the box and fixed it for the AdRoar thing but i still see it in my log"

 

Logfile of HijackThis v1.98.0

Scan saved at 6:23:37 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

C:\HJT\hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

 

 

 

What the heck is going on? lol...i changed it to "Normal Startup"....also right when the desktop comes up AdAware pops up and says that AdRoar is on the comp and if i wanna Accept or Block. I chose block again, so i went to the Windows folder and found a file called AdRoar.dll.....but u told me to delete ARUpdate.exe so i didnt delete it unless u tell me to. there is no arupdate.exe.

Share this post


Link to post
Share on other sites

Ok. Try it this way.

Reboot into safe mode. (tap F8 repeatedly as the computer boots.)

Run Hijack this again, and fix the Adroar entry.

Then, without rebooting, search for and delete any adroar.exe, or adroar.dll files you can find, and also the ARUpdate.exe file.

Share this post


Link to post
Share on other sites

i dont know what to tell you bud...i did exactly what u said. There was no ARUpdate.exe file anywhere but i deleted the AdRoar.dll file. It's not here but yet the piece of crap is still in the logfile. Right after i clicked fix on HJT i clicked scan again just to make sure: it wasnt there. But when i logged back in wothout safe mode it showed up again. and AdAware keeps popping this up right when i log back in to Windows:

 

an attempt to alter a proj(t?)ected object has been discovered

ROOT: HKEY_LOCAL_MACHINE

KEY: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

VALUE: ADRoarUpdate !!!!!!

 

LOL...and here is the logfile for HJT when i signed back on without safe mode:Logfile of HijackThis v1.98.0

Scan saved at 8:38:25 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

C:\HJT\hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

 

obviously its still in there so im completely baffled

Share this post


Link to post
Share on other sites

Please download http://broadbandmedic.com/download/ unzip it and run it.

 

Paste this into the box.

C:\WINDOWS\ARUpdate.exe

Then from the "action" button, choose "delete on reboot".

 

Reboot, and see if it's gone.

Share this post


Link to post
Share on other sites

did what u said....when i click Action and the menu scrolls down i choose delete on reboot, then a new window opens but its empty...then i try clicking "kill file" but it says file doesnt exist....but i run HJT and its still there....lol...

Share this post


Link to post
Share on other sites

Well, well. The file must be gone, but ther is still a registry entry.

 

Try this.

Open Regedit, (start>run, and type regedit in the box)

 

Click on edit>find, and enter adroar in the box.

If/When something is found, right click on it, and choose "export".

Save it as a reg file. Then delete the key. Then go to edit> find, and find next. Repeat until all keys have been exported, and deleted.

Reboot. Ensure that everything is working OK, and run Hijack this again. If the Adroar entry is still there, I do not know what's causing it!

Share this post


Link to post
Share on other sites

regedit search found these:

 

when searching for adroar:

Name: (Default) Type: REG_SZ Data: Value not set

AddUrl REG_SZ http://ar.avres.net/5/req

ConfigName REG_SZ mm2

dcount REG_DWORD 0x00000170(368)

ID REG_SZ ED6081B446FF48ECAF6F49163F400E55

InstallationUpdate REG_SZ 040614

Update REG_SZ 38156

These were all under a folder : HKEY_CURRENT_USER/Software/AdroarPlugin

 

When searching for ARupdate:

 

Name: 000 Type: REG_SZ Data: ARupdate

 

this was in : HKEY_CURRENT_USER/Software/Microsoft/Search Assisant/ACMru/5603

 

do i delete all of these?

Share this post


Link to post
Share on other sites

As I originally posted, first EXPORT the key as a registry file. Then delete it.

That way, if a mistake is made, the files can be imported.

 

Both of the keys

 

HKEY_CURRENT_USER/Software/AdroarPlugin

and

HKEY_CURRENT_USER/Software/Microsoft/Search Assisant/ACMru/5603

should go.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0