Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

plagued by PUPS 3

Status
Not open for further replies.

Ngolem

Programmer
Aug 23, 2001
2,724
CA
I have had a plague of PUPS including Search.Conduit, KeyBar 1.19, Ask.com and Whitesmoke and I would not be surprised if there is something else there.

Here is the Hijack this analysis

Scan saved at 11:17:35 AM, on 2/20/2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

FIREFOX: 25.0.1 (en-US)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Program Files\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\IPS\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {739df940-c5ee-4bab-9d7e-270894ae687a} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\coIEPlg.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SearchProtect] C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O18 - Protocol: intu-qt2009 - (no CLSID) - (no file)
O18 - Protocol: intu-tt2010 - (no CLSID) - (no file)
O18 - Protocol: intu-tt2011 - {B3B5DAD9-E96D-45B4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll
O18 - Protocol: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Norton Disk Doctor Service (DiskDoctorService) - Symantec Corporation - C:\Program Files\Symantec\Norton Utilities 16\Tools\Disk Doctor\DiskDoctorSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\21.1.0.18\NIS.exe
O23 - Service: Norton Utilities 16 Start Manager Service (NU16StartManagerSvc) - Unknown owner - C:\Program Files\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Norton SpeedDisk Service (SpeedDiskService) - Symantec Corporation - C:\Program Files\Symantec\Norton Utilities 16\Tools\SpeedDisk\SpeedDiskSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6665 bytes

My personal feeling is that these PUPS have been dragged in through auto updates of Firefox, Adobe and Java where there is often no chance to view what has been installed..I have disabled these auto updates now.

The main symptom is loss of use of my "D"drive...on the last time I found Ask.com used on Internet Explorer and I think I got rid of that but after a day of good performance something else is a problem ....Is anything revealed in this printout....Norton anti-virus finds nothing wrong.

Jim Broadbent
 
.Norton anti-virus finds nothing wrong.

Nothing new there then.

Firefox do not bundle anything in their updates, unfortunately the same cannot be said of Norton, Adobe (with Flash updates), Yahoo! (with just about everything). But the prime candidate for loading crap, is the useless "Advanced Registry Optimizer".



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
I have to agree with ChrisHirst about Advanced Registry Optimizer. I remove it every time I find it on family and friends' PC's...
 
Well my problems began back in October when FireFox made a rollout....I am getting tired of these rollouts so I put a stop to new ones for a while.

Right now the system is working fine...When I open Control panel earlier I saw under Internet Options/general/search settings/Toolbars and extensions

I find several that I find suspicious...even though they are disabled

Research, Windows Messenger and Discuss

The reason I don't like these is there is no publisher and they are in the Not Available section and no easy way to remove them if I wanted too. In addition there is no file date or other info.

Now if they were legit I would have expected the first 2 to be published by Microsoft...the last I do not know.

Are these ok...or not? and how to remove them completely if they are not....

Where would I find "Advanced Registry Optimizer" and how do I remove it.

My computer runs fine for a while then like a Whack-a-Mole...another problem rises a day or two later {sigh}

Jim Broadbent

 
Ngolen,

I agree it's a bit silly not to have a readily-identified publisher but...

Discuss has a class ID of {BDEADE7F-C265-11D0-BCED-00A0C90AB50F} and is the Microsoft Office "Web Discussions" Explorer Bar for IE.

Research has a class ID of {92780B25-18CC-41C8-B9BE-3C9C571A8263} and is also added by Microsoft Office.

Messenger is Microsoft's Windows Messenger. I have it switched off completely on my system so I can't look up the class ID.

All three are legitimate... but can be disabled. (I know I do! )[smile]

Hope this helps...
 
I will fix you up. Run the following in order (reboot if any ask you to BEFORE proceeding)
0. Run CCleaner to clean out temp files
1. Junk Removal Tool
2. Run Rogue Killer
3. Run MalwareByte's Anti-Malware. You need internet for it to update, so try regular mode then safe mode with networking. If it won't update, run it anyway and see what it can remove. Then reboot and try the update and run MBAM again if it updates.

Clean sources for programs:




"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Here is a diagnostic and removal narrative on Whitesmoke (in FF):


Vince
ASAP Member (VopThis) - Alliance of Security Analysis Professionals
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]
 
Just run JRT first (and other items) to see if that sorts it out. VOP - please let me handle this. The OP only needs to go in one direction at a time.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Thanks to goombawaho, vop, and allteltec for the list and other items. Hopefully I'll remember to check out a couple of those I hadn't looked into before. Well, hopefully I won't need them. The systemlookup.com site looked interesting in that you can just take the id for a file, and it'll tell you more about it. That could be very useful for diagnosing weird events on a machine.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top