Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Member buttoni's Avatar
    Join Date
    Jun 2005
    Location
    Central Texas
    Posts
    154
    Points
    12

    Default ActiveXControls/Add-Ons

    Wary PC user that I am, I check my "Manage Add-Ons" listing regularly. It has always looked pretty good to me. But today three items appeared that I have no idea where/when they got on my PC. In the last two weeks, I have only downloaded antispyware SW and tools recommended on this site. Had some HJT log entries we cleaned out last week successfuly.

    Do you recognize any of these? If not, do you think I should I go in and disable them?


    MetaStream Ctl Class
    Viewpoint Corporation
    File=AxMetaStream.dll

    InstallShield Update Svce
    InstallShield SW Corp.
    File=isusweb.dll

    QDiagDUpdate Obj Class
    Gteko Ltd.
    file=qdiagd.ocx
    SYSTEM SPECS: HP Pavilion p6-2120t desktop, Intel Pentium Quad Core, 8GB DDR#-1333MHz SDRAM (2 DIMMS), HP 23" HP 2311 LED monitor, Realtek PCI GBE Family Controller, Integrated sound, HP SATA 16X HD,
    Windows 7x64 Home Premium; Firefox 13.0.1 default; IE8; ATT DSL 2Wire modem/router; Yahoo Web Mail;
    Comodo FW 5.10 (D+ & Sandbox enabled); MSSE; MBAM on demand.

  2. #2
    Member galena1's Avatar
    Join Date
    Oct 2003
    Location
    Devon -UK
    Posts
    3,109
    Points
    429

    Default

    Hallo Peggy in Texas - Go here - http://www.help2go.com/article217.html
    and work your way through ALL of the processes and post a HiJack This Log to this thread by clicking on 'reply'. One of the experts will check over your Log and advise. If you have any problems running anything in Article 217 just move on and give details at the start of the post with your Log. Any problems then get back here and someone will guide you. Be sure to download and run HiJack This from a PERMANENT folder (instructions for this are in Article 217. Regards.
    I know everything about nothing, nothing about everything and precious little about the bit in between.
    P4-3.0G - Seagate Barracuda 160 - Maxtor 120 - Antec Hard Drive Cooler - 1GRam - Radeon9800Pro - Sony Multi DriveDVDRW - Audigy2 6.1 - XPHome

  3. #3
    Administrator Help2Go Administrator Canuck's Avatar
    Join Date
    May 2003
    Location
    Edmonton, Alberta, Canada
    Posts
    9,773
    Points
    2017

    Default

    Take a look here http://www.iamnotageek.com/a/430-p1.php for AxMetaStream.dll info. And isusweb.dll (InstallShield Update Service Web Agent) if you didn't download it do a search and delete if you wish. While I am able to find a download for qdiagd.ocx file, an unable to find a description, however here is a definition of .ocx
    Short for OLE Control Extension, an independent program module that can be accessed by other programs in a Windows environment. OCX controls end with a .ocx extension. OCX controls represent Microsoft's second generation of control architecture, the first being VBX controls written in Visual Basic.
    Both VBX and OCX controls have now been superseded by ActiveX controls. However, ActiveX is backward compatible with OCX controls, which means that ActiveX containers, such as Microsoft's Internet Explorer, can execute OCX components.


  4. #4
    Member buttoni's Avatar
    Join Date
    Jun 2005
    Location
    Central Texas
    Posts
    154
    Points
    12

    Default ActiveX/Add-on Question

    Did all steps. Panda found only ExactSearch (alias eXactSearchbar) in Windows registry. Did not disinfect it. Collects info for pop-ups, which I'm not getting. Housecall found only one cookie StatCounter.com and cleaned it off. McAfee Virusscan found nothing. Spybot found nothing. Yahoo Anti-Spy found nothing. Adaware found 11 negligible items "MRU List items and deleted them. CWSShredder found nothing infected/not present. MS Anti-Spy found nothing. I ah uptodate on Windows and McAfee and all anti-spy software. Detective found no items to take action on or fix. So here's my log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:15:03 AM, on 7/1/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\dlbtcoms.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\2Wire\2PortalMon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\peggy\Desktop\HijackThis3NewFolder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visi.../TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/sh...,2/mcmysec.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    Spyware Guard has popped up twice in the last few days sayin : IE detected an attempt to change your home page from SBC DSL Yahoo to about:blank. I blocked that attempt each time and and getting the correct home page each time I log onto the net. Log looks pretty good to me. What do you folks think?

    Will read your suggested link on the Add-Ons while I await your reply.
    SYSTEM SPECS: HP Pavilion p6-2120t desktop, Intel Pentium Quad Core, 8GB DDR#-1333MHz SDRAM (2 DIMMS), HP 23" HP 2311 LED monitor, Realtek PCI GBE Family Controller, Integrated sound, HP SATA 16X HD,
    Windows 7x64 Home Premium; Firefox 13.0.1 default; IE8; ATT DSL 2Wire modem/router; Yahoo Web Mail;
    Comodo FW 5.10 (D+ & Sandbox enabled); MSSE; MBAM on demand.

  5. #5
    Member buttoni's Avatar
    Join Date
    Jun 2005
    Location
    Central Texas
    Posts
    154
    Points
    12

    Default ActiveX/Add-Ons

    Went to the link for I'm not a Geek. Searched all the file names and couldn't find these three on any of the groupings. I think the Gteko Ltd. entry may be associated with AuAgent.exe and Dell Support, based on something I saw in Adaware's logfile screen. So that one may be OK to leave enabled.
    SYSTEM SPECS: HP Pavilion p6-2120t desktop, Intel Pentium Quad Core, 8GB DDR#-1333MHz SDRAM (2 DIMMS), HP 23" HP 2311 LED monitor, Realtek PCI GBE Family Controller, Integrated sound, HP SATA 16X HD,
    Windows 7x64 Home Premium; Firefox 13.0.1 default; IE8; ATT DSL 2Wire modem/router; Yahoo Web Mail;
    Comodo FW 5.10 (D+ & Sandbox enabled); MSSE; MBAM on demand.

  6. #6
    Member buttoni's Avatar
    Join Date
    Jun 2005
    Location
    Central Texas
    Posts
    154
    Points
    12

    Default ActiveX controls I asked about

    While awaiting your reply I did some Google searches on these ActiveX controls:

    AdAware logfile says Gteko,Ltd. is associated with the Dell support directory and Google indicates this company specializes in automated user support software for major companies. Am going to leave that one on my machine.

    InstallShieldUpdateService is just that, their site indicates it allows end users to get updates and patches directl. Any of the anti-spyware softwares I have installed in the last month may have added this one to allow me to get updates. So I'm going to leave that one on my machine also.

    AxMetaStream is still looking bad. Google entries indicate this is spyware that is a part of Viewpoint Toolbar. Guess what tried to add itself to my Favorites list yesteday? You got it! Viewpoint Toolbar. I didn't click on it but just edit/deleted the favorite entry. I also just went to my programs files folder and see one for Viewpoint, chock full of goodies. Some of the thumbnails say Viewpoint Media Player. I did not install nor do I use any such media player (unless Yahoo's integrated Launchcast radio,which I do listen to, uses it). Did a File Search on AxMediaStream.dll and it found it in the viewpoint folder in Prgm Files. I have not deleted any files nor done an Add/Remove on the Viewpoint folder yet.

    One of the Google entries is for removal instructions for "Deleting AxMetaStream.dll" but am afraid to go there. The last time I went to do a look-see on a so-called removal site, it locked up my system and reinstalled the very spyware I had just spent two days cleaning off my PC!!

    I have just updated Adaware, MSAnti-Spy,SpywareGard, SpywareBlaster, Spybot and YahooAnti-Spy and they are not singling this out as spyware.
    Is it spyware or not? There's no entry in my HJT log to indicate it at start up. What, if any, actions do you recommend I take?
    SYSTEM SPECS: HP Pavilion p6-2120t desktop, Intel Pentium Quad Core, 8GB DDR#-1333MHz SDRAM (2 DIMMS), HP 23" HP 2311 LED monitor, Realtek PCI GBE Family Controller, Integrated sound, HP SATA 16X HD,
    Windows 7x64 Home Premium; Firefox 13.0.1 default; IE8; ATT DSL 2Wire modem/router; Yahoo Web Mail;
    Comodo FW 5.10 (D+ & Sandbox enabled); MSSE; MBAM on demand.

  7. #7
    Member Oddjob's Avatar
    Join Date
    May 2004
    Location
    London, U.K.
    Posts
    1,970
    Points
    248

    Default



    Hello Peggy in Texas</p>

    Nothing in your log worries me much. You are right about the Viewpoint connections. I suggest you go to add/remove programs and remove Viewpoint completely.</p>

    Please also move your HJT folder to a more secure location such as the C: drive with the address C:\HJT.*</p>

    After that please scan again with both Panda Activescan and Housecall.</p>

    Please do all scans avaiable at both sites and use "autoclean" with Housecall.</p>

    If either/both find anything that they can't fix - perhaps because the files are "in use" - please post reports of all those issues (with full addresses of the problem file locations) and we'll give you any removal instructions necessary.*</p>

    When you post again please also give us an update on any problems you are experiencing with your PC at the moment (onscreen error messages, operational difficulties etc.).*</p>

    Please also post a fresh log for review.*</p>

    OJ*</p>
    PLEASE DONATE. Help keep our site alive without ads.

    Help keep your computer protected. Read this > http://www.help2go.com/article152.html

  8. #8
    Member buttoni's Avatar
    Join Date
    Jun 2005
    Location
    Central Texas
    Posts
    154
    Points
    12

    Default

    I disabled Meta Stream ActiveX control. I got rid of Viewpoint Folder and contents via Add/Remove Programs. Then I reran all the scans. None of them found anything except Pandaware Scan.

    PandaScan found 1 infection: ExactSearch in Windows Registry.
    It always finds it and never cleans it! Reran Spybot S&D but doesn't see any infected files. And if you watch the names scrolling during a Spybot scan, ExactSearch and ExactAdvertising are on the definition listing that scrolls very rapidly. Do you think I really have ExactSearch or not? Is there a way we can check?

    Only other concern is second line entry HJT found : hsremove.com
    I long ago deleted this entry via Add/Remove programs. It is a tool to remove HomeSearch spyware (which I thought I had at one time, but apparently didn't). I download it from a link on either this site, or the HJTlogs site itself. Ran the program one time, which apparently put the line in my list in HJT. Every time I try to let HJT "fix" this line both SpywareGuard and MS Anti-Spy tell me IE has detected attempt to change my start page from hsremove to about:blank!!!!! I know MSAS is giving some false error messages, but "about:blank" scares me, so I always tell it to block the action and leave the hsremove start page. The "lesser of two evils" notion? :? Don't think I currently have about:blank and don't want to get it, from what reading I have been doing here lately!! 8O

    Anyway, here's my latest HJT log. Let me know what to do next.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:16:23 PM, on 7/2/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\dlbtcoms.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\2Wire\2PortalMon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\hijackthis2\HijackThis2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
    O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visi.../TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/sh...,2/mcmysec.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    No other wierd things are going on, other than the scary about:blank error messages already mentioned when I try to get rid of the hsremove line in my HJT log.
    SYSTEM SPECS: HP Pavilion p6-2120t desktop, Intel Pentium Quad Core, 8GB DDR#-1333MHz SDRAM (2 DIMMS), HP 23" HP 2311 LED monitor, Realtek PCI GBE Family Controller, Integrated sound, HP SATA 16X HD,
    Windows 7x64 Home Premium; Firefox 13.0.1 default; IE8; ATT DSL 2Wire modem/router; Yahoo Web Mail;
    Comodo FW 5.10 (D+ & Sandbox enabled); MSSE; MBAM on demand.

  9. #9
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi Peggy

    Oddjobs away tonight watching a thespian production... so I don't think he'll mind me posting for him....

    First ...
    PandaScan found 1 infection: ExactSearch in Windows Registry.
    It always finds it and never cleans it! Reran Spybot S&D but doesn't see any infected files. And if you watch the names scrolling during a Spybot scan, ExactSearch and ExactAdvertising are on the definition listing that scrolls very rapidly. Do you think I really have ExactSearch or not? Is there a way we can check?
    don't worry about this, this will be an orphan registry key, and with no file to run, it can't cause you any problems...

    The names you see scrolling during a Spybot scan are what spybot is checking for, not anything you have...

    Only other concern is second line entry HJT found : hsremove.com

    Every time I try to let HJT "fix" this line both SpywareGuard and MS Anti-Spy tell me IE has detected attempt to change my start page from hsremove to about:blank!!!!! I know MSAS is giving some false error messages, but "about:blank" scares me
    let me dispel a myth here...

    in internet explorer, go to the menu bar at the top and click on "Tools" then click on "internet options"

    In the top section ... for your homepage ... you will see 3 buttons

    Use current ... click this and whatever page you are viewing at the time will become the new homepage

    Use default ... this will go to you browsers default setting ... whatever that is ... probably this :- http://yahoo.sbc.com/dsl ... looking at your log

    Use blank ... if you select this and then click the internet explorer icon on your desktop, you will get a blank page, with about blank in the address bar, you can then click the drop down list and go where you want...

    you can go back to internet options and change the startpage to anything you want at any time...

    so fix it again ... and this time let Spywareguard, Microsoftantispyware and spybot ALLOW the change... this will get rid of hsremove.com for good ... please don't worry about this particular About blank as there is nothing bad about it.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  10. #10
    Member buttoni's Avatar
    Join Date
    Jun 2005
    Location
    Central Texas
    Posts
    154
    Points
    12

    Default

    Reran HJT and let SG allow the page change per your instructions. You were right, Steam. It's gone now. Adios to hsremove!! Yeah!!! Here's the new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:00:42 PM, on 7/2/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\Program Files\hijackthis2\HijackThis2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
    O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visi.../TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/sh...,2/mcmysec.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



    Re: the three buttons in IE Internet options general tab. Mine shows http://SBC.yahoo.com/DSL and all three buttons are shaded and inaccessible, whether I log onto the PC as my Limited account or the Administrator account!! SBC DSL must lock these when it installs. Wonder if that means no spyware or hijacker will be able to change them either? Wouldn't THAT be nice? Wouldn't have to bother you guys much. Wishful thinking, I suppose.

    I know SBC DSL's 2-wire Home Portal Modem's hard-wired firewall is impressive. With McAfee Firewall alone, I used to get a hundred or more daily blocked inbound events. Since I switched to SBC DSL, I'm lucky if I see 10 inbound events on the McAfee log per day and we're on-line all day long!!

    I think my problems are fixed now. Thx for being there. I donated by mail today so that you guys can continue to provide quality support in a sponsor-free, spyware-free, 3rd-party cookie-free environment. It's greatly appreciated.

    TTFN
    SYSTEM SPECS: HP Pavilion p6-2120t desktop, Intel Pentium Quad Core, 8GB DDR#-1333MHz SDRAM (2 DIMMS), HP 23" HP 2311 LED monitor, Realtek PCI GBE Family Controller, Integrated sound, HP SATA 16X HD,
    Windows 7x64 Home Premium; Firefox 13.0.1 default; IE8; ATT DSL 2Wire modem/router; Yahoo Web Mail;
    Comodo FW 5.10 (D+ & Sandbox enabled); MSSE; MBAM on demand.

Page 1 of 2 12 LastLast