Jump to content


Photo

PC running slow...makin' me angry


  • Please log in to reply
16 replies to this topic

#1 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 July 2004 - 08:44 PM

My computer has been running slow for about a week...i run adaware and it says it's clean...i run spybot and get rid of the little stragglers i pick up though out the day...i run AVG and it says i have trojans but after the scan it automatically says cant heal or something or other and i end up not being able to do anything about it through AVG...i downloaded Hijackthis and have a logfile which i will post in hopes someone can help...thanks in advance. Just a question...should i completely do away with internet explorer and use Netscape or something else? and i know about the system restore thing but i dont know quite how the timing works...when do i do it?

Logfile of HijackThis v1.98.0
Scan saved at 9:36:48 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Frank\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/Ud3rT0n5.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://odinvn.ud-dia.../1/dexUK627.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/awaymsg.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

#2 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 July 2004 - 01:11 PM

also, whenever i use IE as my browser and click on it to ge tto my homepage (google) another popup comes up, im sure this is part of the spyware but i just thought id be thorough in explaining whats wrong. Nothing else is wrong per se, except that the PC has gotten alot slower. Everything works but it takes 5 times longer to load stuff.

#3 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 July 2004 - 02:50 PM

Hi...i know i shouldn't be all asshole-y and complain. But i've noticed people who have just posted problems and have gotten answers within minutes or hours. Again, i'm not trying to be a dick, i'm just telling it how i see it. i hope no one gets angry with me. Only calling it like i see it.

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 July 2004 - 03:17 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O1 - Hosts: comments (such as these) may be inserted on individual

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://odinvn.ud-dia.../1/dexUK627.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/awaymsg.cab

Reboot and delete

files
C:\WINDOWS\ARUpdate.exe


These may be hidden files. See HERE for how to show hidden files.

Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup", to stop something running. While this is OK, when looking for malware, it is possible that you have disabled it, and it will not then show up in the Hijack this log. Before posting a fresh log, would you please open MSConfig, and choose the "normal startup" option. Then everything will be running, and if anything needs removal, we can give appropriate advice.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 July 2004 - 03:50 PM

checked and fixed...when i rebooted and looked for c:\windows\arupdate.exe i couldnt find it but before before that, right when windows came one AdAware caught something called arupdate and asked me if i wanted to accept or block; i blocked it cause i thought it was bad. It's still a tad slower than it should be but here is the new log:

Logfile of HijackThis v1.98.0
Scan saved at 4:47:24 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/Ud3rT0n5.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

BTW, thnx for your help

#6 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 July 2004 - 07:14 PM

I decided to run TrojanHunter just in case and it said:

Found trojan file: C:\Documents and Settings\Frank\Local Settings\Temp\THI38F7.tmp\twaintec.dll (Bispy.100)
Found trojan file: C:\Documents and Settings\Frank\Local Settings\Temp\THIBD0.tmp\twaintec.dll (Bispy.100)
Found trojan file: C:\Documents and Settings\Frank\Local Settings\Temp\THID37.tmp\twaintec.dll (Bispy.100)
Found trojan file: C:\Program Files\STC\April0604_loader.exe (Adware.SecondThought.102)
Found trojan file: C:\WINDOWS\2_0_1browserhelper2.dll (Adware.Bhx.100)
Found trojan file: C:\WINDOWS\fash.exe (Frks.100)
Found trojan file: C:\WINDOWS\LastGood\twaintec.dll (Bispy.100)
Found possible trojan file: C:\WINDOWS\system32\stcloader.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\WINDOWS\twaintec.dll (Bispy.100)
Warning: Unable to unpack UPX-packed file E:\AdbeRdr60_enu_full.exe (Add to ignore list)
8 trojan files found
1 possible trojan files found


At the end it asked me if I want to fix the "problems", so i did. Do you know if this actually healed everything?...in my previous post i have the logfile of HJT after i fixed the things u told me to fix....is everything all right?

#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 06 July 2004 - 01:48 PM

Well the Adroar update is still in your log

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

Fix this entry, reboot, and delete the file C:\WINDOWS\ARUpdate.exe

This entry shows that Msconfig is running

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Please reboot into "normal" mode, before posting your next Hijack this log, as then all processes and startups will be running.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#8 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2004 - 05:32 PM

I checked the box and fixed it for the AdRoar thing but i still see it in my log"

Logfile of HijackThis v1.98.0
Scan saved at 6:23:37 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/Ud3rT0n5.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab



What the heck is going on? lol...i changed it to "Normal Startup"....also right when the desktop comes up AdAware pops up and says that AdRoar is on the comp and if i wanna Accept or Block. I chose block again, so i went to the Windows folder and found a file called AdRoar.dll.....but u told me to delete ARUpdate.exe so i didnt delete it unless u tell me to. there is no arupdate.exe.

#9 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 06 July 2004 - 05:36 PM

Ok. Try it this way.
Reboot into safe mode. (tap F8 repeatedly as the computer boots.)
Run Hijack this again, and fix the Adroar entry.
Then, without rebooting, search for and delete any adroar.exe, or adroar.dll files you can find, and also the ARUpdate.exe file.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#10 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2004 - 07:45 PM

i dont know what to tell you bud...i did exactly what u said. There was no ARUpdate.exe file anywhere but i deleted the AdRoar.dll file. It's not here but yet the piece of crap is still in the logfile. Right after i clicked fix on HJT i clicked scan again just to make sure: it wasnt there. But when i logged back in wothout safe mode it showed up again. and AdAware keeps popping this up right when i log back in to Windows:

an attempt to alter a proj(t?)ected object has been discovered
ROOT: HKEY_LOCAL_MACHINE
KEY: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
VALUE: ADRoarUpdate !!!!!!

LOL...and here is the logfile for HJT when i signed back on without safe mode:Logfile of HijackThis v1.98.0
Scan saved at 8:38:25 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Frank\Application Data\Mozilla\Profiles\default\vhbd2nrh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/Ud3rT0n5.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

obviously its still in there so im completely baffled

#11 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 07 July 2004 - 02:47 PM

any ideas anyone?

#12 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 07 July 2004 - 03:17 PM

Please download http://broadbandmedic.com/download/ unzip it and run it.

Paste this into the box.

C:\WINDOWS\ARUpdate.exe

Then from the "action" button, choose "delete on reboot".

Reboot, and see if it's gone.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#13 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 07 July 2004 - 09:21 PM

did what u said....when i click Action and the menu scrolls down i choose delete on reboot, then a new window opens but its empty...then i try clicking "kill file" but it says file doesnt exist....but i run HJT and its still there....lol...

#14 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 08 July 2004 - 01:51 PM

Well, well. The file must be gone, but ther is still a registry entry.

Try this.
Open Regedit, (start>run, and type regedit in the box)

Click on edit>find, and enter adroar in the box.
If/When something is found, right click on it, and choose "export".
Save it as a reg file. Then delete the key. Then go to edit> find, and find next. Repeat until all keys have been exported, and deleted.
Reboot. Ensure that everything is working OK, and run Hijack this again. If the Adroar entry is still there, I do not know what's causing it!
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#15 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2004 - 07:31 PM

regedit search found these:

when searching for adroar:
Name: (Default) Type: REG_SZ Data: Value not set
AddUrl REG_SZ http://ar.avres.net/5/req
ConfigName REG_SZ mm2
dcount REG_DWORD 0x00000170(368)
ID REG_SZ ED6081B446FF48ECAF6F49163F400E55
InstallationUpdate REG_SZ 040614
Update REG_SZ 38156
These were all under a folder : HKEY_CURRENT_USER/Software/AdroarPlugin

When searching for ARupdate:

Name: 000 Type: REG_SZ Data: ARupdate

this was in : HKEY_CURRENT_USER/Software/Microsoft/Search Assisant/ACMru/5603

do i delete all of these?

#16 greekguy

greekguy

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2004 - 11:19 PM

???

#17 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 July 2004 - 02:03 PM

As I originally posted, first EXPORT the key as a registry file. Then delete it.
That way, if a mistake is made, the files can be imported.

Both of the keys

HKEY_CURRENT_USER/Software/AdroarPlugin
and
HKEY_CURRENT_USER/Software/Microsoft/Search Assisant/ACMru/5603
should go.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button