Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

plagued by PUPS 3

Status
Not open for further replies.
Ngolem

Ngolem

Programmer
Aug 23, 2001
2,724
CA
I have had a plague of PUPS including Search.Conduit, KeyBar 1.19, Ask.com and Whitesmoke and I would not be surprised if there is something else there.

Here is the Hijack this analysis

Scan saved at 11:17:35 AM, on 2/20/2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

FIREFOX: 25.0.1 (en-US)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Program Files\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\IPS\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {739df940-c5ee-4bab-9d7e-270894ae687a} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\coIEPlg.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SearchProtect] C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O18 - Protocol: intu-qt2009 - (no CLSID) - (no file)
O18 - Protocol: intu-tt2010 - (no CLSID) - (no file)
O18 - Protocol: intu-tt2011 - {B3B5DAD9-E96D-45B4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll
O18 - Protocol: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Norton Disk Doctor Service (DiskDoctorService) - Symantec Corporation - C:\Program Files\Symantec\Norton Utilities 16\Tools\Disk Doctor\DiskDoctorSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
O23 - Service: Norton Utilities 16 Start Manager Service (NU16StartManagerSvc) - Unknown owner - C:\Program Files\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Norton SpeedDisk Service (SpeedDiskService) - Symantec Corporation - C:\Program Files\Symantec\Norton Utilities 16\Tools\SpeedDisk\SpeedDiskSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6665 bytes

My personal feeling is that these PUPS have been dragged in through auto updates of Firefox, Adobe and Java where there is often no chance to view what has been installed..I have disabled these auto updates now.

The main symptom is loss of use of my "D"drive...on the last time I found Ask.com used on Internet Explorer and I think I got rid of that but after a day of good performance something else is a problem ....Is anything revealed in this printout....Norton anti-virus finds nothing wrong.

Jim Broadbent
 
Sort by date Sort by votes
.Norton anti-virus finds nothing wrong.
Click to expand...

Nothing new there then.

Firefox do not bundle anything in their updates, unfortunately the same cannot be said of Norton, Adobe (with Flash updates), Yahoo! (with just about everything). But the prime candidate for loading crap, is the useless "Advanced Registry Optimizer".



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Upvote 0 Downvote
I have to agree with ChrisHirst about Advanced Registry Optimizer. I remove it every time I find it on family and friends' PC's...
 
Upvote 0 Downvote
Well my problems began back in October when FireFox made a rollout....I am getting tired of these rollouts so I put a stop to new ones for a while.

Right now the system is working fine...When I open Control panel earlier I saw under Internet Options/general/search settings/Toolbars and extensions

I find several that I find suspicious...even though they are disabled

Research, Windows Messenger and Discuss

The reason I don't like these is there is no publisher and they are in the Not Available section and no easy way to remove them if I wanted too. In addition there is no file date or other info.

Now if they were legit I would have expected the first 2 to be published by Microsoft...the last I do not know.

Are these ok...or not? and how to remove them completely if they are not....

Where would I find "Advanced Registry Optimizer" and how do I remove it.

My computer runs fine for a while then like a Whack-a-Mole...another problem rises a day or two later {sigh}

Jim Broadbent

 
Upvote 0 Downvote
Ngolen,

I agree it's a bit silly not to have a readily-identified publisher but...

Discuss has a class ID of {BDEADE7F-C265-11D0-BCED-00A0C90AB50F} and is the Microsoft Office "Web Discussions" Explorer Bar for IE.

Research has a class ID of {92780B25-18CC-41C8-B9BE-3C9C571A8263} and is also added by Microsoft Office.

Messenger is Microsoft's Windows Messenger. I have it switched off completely on my system so I can't look up the class ID.

All three are legitimate... but can be disabled. (I know I do! )[smile]

Hope this helps...
 
Upvote 0 Downvote
I will fix you up. Run the following in order (reboot if any ask you to BEFORE proceeding)
0. Run CCleaner to clean out temp files
1. Junk Removal Tool
2. Run Rogue Killer
3. Run MalwareByte's Anti-Malware. You need internet for it to update, so try regular mode then safe mode with networking. If it won't update, run it anyway and see what it can remove. Then reboot and try the update and run MBAM again if it updates.

Clean sources for programs:




"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Upvote 0 Downvote
Here is a diagnostic and removal narrative on Whitesmoke (in FF):


Vince
ASAP Member (VopThis) - Alliance of Security Analysis Professionals
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]
 
Upvote 0 Downvote
Just run JRT first (and other items) to see if that sorts it out. VOP - please let me handle this. The OP only needs to go in one direction at a time.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Upvote 0 Downvote
Thanks to goombawaho, vop, and allteltec for the list and other items. Hopefully I'll remember to check out a couple of those I hadn't looked into before. Well, hopefully I won't need them. The systemlookup.com site looked interesting in that you can just take the id for a file, and it'll tell you more about it. That could be very useful for diagnosing weird events on a machine.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

javierdlm001
  • Locked
  • Question
"Win32.Downloader.gen" found as Malware by Spybot
Replies
3
Views
107
2ffat
2ffat
crackoo
  • Locked
  • Question
Encrypted files by Win32.Mabezat.A
Replies
2
Views
94
crackoo
crackoo
izzer43
  • Locked
  • Question
Manual Removal of Virus "TIDSERV 2" required by Norton
Replies
0
Views
71
izzer43
izzer43
johncp
  • Locked
  • Question
Infection by nasty malware 2
2
Replies
23
Views
244
BadBigBen
BadBigBen
dcranford
  • Locked
  • Question
Outbound random traffic - source port increments by 1
Replies
3
Views
81
dcranford
dcranford

Part and Inventory Search

Sponsor

Back
Top