First please let me apologize for posting in the manner I'm about to do. It's a requirement that I have 5 posts to have a link and my HJT log is full of links...which means I can't get help without having five posts and if I've got to ***** up five posts I may as well not trash another person's thread with either misguided advice or nonsense. Please stay tuned.

...plus probably half a dozen other things. It seems like I have WAY too many things running at one time and I can't figure out why. For kicks here's a screen shot of my process manager...



I don't know what half that crap is...of course it's an old computer and lots can happen over 6 years but still.

Anyway...CA detects both the darksma and internet speed monitor (ISM from here on because that's irritating to write) and says it's removed them, but they come right back on the next scan. Adaware doesn't even detect them...much less remove them. I've tried running all my programs in safe mode and no change.

I did some searching here and found references to this same bug but when it came to deleting/repairing files the ones listed in the forum weren't found on my PC. I ran HJT but, as said, the files listed weren't found on my PC. Here's the log file cut-n-paste:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:03 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ftp://www.photoartclub.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a4b0434f] rundll32.exe "C:\WINDOWS\system32\jdmwqfgu.dll",b
O4 - HKCU\..\Run: [GetModule30] C:\Program Files\GetModule\GetModule30.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O20 - AppInit_DLLs: tfrkqk.dll
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

--
End of file - 5914 bytes


Any help is much appreciated!

Thanks!
Duncan

P.S. Please, again, accept my apologies for the following four pointless posts. I don't know how else to get my log file to display. Thank you for your patience!

again, my sincerest apologies.

I really am sorry.

just one more...

I would like to add that I do not use Internet Explorer for anything other than uploading files to my website.

Follow this : http://www.techspot.com/vb/topic58138.html

Post back the three logs IN A ATTACHMENT
to know how to attach go to this link http://www.techspot.com/vb/topic19133.html

I recommend to uninstall CA and install any one of these, (only install 1) (you don't have to uninstall by the way)

AVG free http://free.avg.com/download-avg-anti-virus-free-edition
Avira Free http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Avast Free http://www.avast.com/eng/avast_4_home.html

Cleaning of the Hijackthis log will be after the 8 steps

Thanks Kazi...I was working on getting the logs. The log time is crap...says it took 14 hours to scan my computer but it took well over 24...bleh...

Anyway, here are the two logs I could get:

http://photoartclub.net/viruslogs/ccleanerlog1.txt
http://photoartclub.net/viruslogs/malwarelog1.txt

I've tried to get the antivir log but it takes three to four hours for the thing to scan my computer and the instant it hits 100% I get an error message and the program closes.

I'm also having issues get zonealarm to work...I don't know why, though, because I've had it before. Avira's firewall thing uses too much memory. My poor old PC can't handle it and running WOW at the same time.

Oh and I can attach the files if absolutely necessary, but I don't like doing that when I have a perfectly good host that I don't use near enough available.

http://photoartclub.net/viruslogs/hijackthislog.txt

I ran all the "quick" scanners again, including CA's little dinky thing, and darksma and internet speed monitor are both gone and I no longer have a plague of pop-ups, but now this is popping up:

ImIServer IEPlugin

The computer is still a bit slower than she should be, and there's lag when changing windows/tabs and still a lot when opening new ones.

UMM you still shouldn't be feeling right
sorry for the late post

In your malwarebyte log you did not remove anything at all saying no action taken.
Run a scan with malwarebyte again and tell me if anything comes out

if something comes out do these

You have not ran Superantispyware it seems, you don't need to attach a log for ccleaner

? Avira free doesn't have a firewall.
currently your computer is SLOW it seems
you could always try the lightning fast antivirus everyone loves
HOWEVER if you wish to keep CA, you can

NOD32 www.eset.com/beta
Smart security 4 is going beta and is free until 3/2/09

Tell me the error of zonalarm firewall

I cannot access your hijackthis log

http://photoartclub.net/viruslogs/hijackthis.log

Sorry I screwed up the extension.

I'll remove everything malwarebytes comes up with next time...I thought I was supposed to wait for further instruction before removing all that stuff.

I missed the superantispyware thing...when I tried to d/l it the other night it never started the process but it's going now. I'll post anything it comes up with when I get off work this afternoon.

When I open zonealarm it immediately has a program error message and no attached details. Just won't start up. I haven't had time to uninstall and try again yet

makenzie71

Do exactly this The TechSpot 8 Steps

Do step by step skip no steps and attach the logs.

Do this right and we can make short work of this.

Mike

When done attach the logs

Superantispyware says no errors found.

CCleaner finds no issues.

Malwarebytes finds no issues.

AntiVir won't be done scanning until tomorrow afternoon...bleh...

CA still pulls up the same IMIserver IEPlugin thing, though, and the PC still isn't as quick as she should be.

New HJT log: http://photoartclub.net/viruslogs/hijackthis1.log

I don't think you should be using 2 anti viruses at the same time

Anyways remove these from HJT
close all other stuff besides HJT before removing

Run a kaspersky online scan as i said in earlier post

I think that will be all i can do, as i'm kinda bad in the combofix and sd-fix parts

Kazi, any help is great help and I really appreciate it! I'm urnning the kapersky thing but it's going to be Monday before it's done scanning apparently.

Last suggestion
since zonealarm is giving you a error
i recommend Comodo as it is as good as zonealarm but faster

http://www.techspot.com/downloads/3702-comodo-personal-firewall.html

Good advice on Comodo!

The below is not as complex as it looks one step at a time. It is your choice if you do it or not.

But ZA is stickie hard to remove like Norton. Even after (just the Add/Remove ZA uninstall) it can cause obvious and undetermind issues and slowdowns.

This may be an eye opening experience as you see what a poor uninstall leaves behind.

The below is my full ZA removal process but you have already done a standard uninstall and the Add/remove entry is now gone so Revo will not detect ZA. So begin at the point after that.

Removing and cleaning ZoneAlarm
Uncheck all to turn off and or disable ZA then reboot

Uninstall with Revo http://www.revouninstaller.com/ Used Advance and remove leftover Registry and Disk files.

Download Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Make sure hidden files and folders are shown. Open Windows Explorer. Depending on your OS click Tools or View and then Folder Options > View.

Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

Then:

Left Drag mouse to highlight and copy all text in the box below.

Code:

Zonelabs; "zone labs"; "Internet logs"; vsconfig.xml; vsdata.dll; vsdata95.vxd; vsdatant.sys; vsmon.*; vsmonapi.dll; vsnetutils.dll;vspubapi.dll; zaplus.*; zapro.*; zllictbl.dat; zlparser.dll; zonealarm.exe; zoneband.dll; vsutil.dll; zlclient.*

Next:
Start-Search-Files and Folders. In location set to search your Local Hard Drive (usually C:\ ) or All Local Drives.

Select Advanced Search Options and set to search subfolders and hidden files.

Now paste the copied lines from above into the search box and click Search Now.

Delete all it finds! Empty Recycle bin.


Next:
To remove all ZoneLabs keys left in the Windows registry.

Highlight and copy for pasting, the below (between the lines)
----------------------------------------------------------------------

Code:

REGEDIT4
[-HKEY_CLASSES_ROOT\ZAMailSafe]
[-HKEY_CURRENT_USER\Software\Zone Labs]
[-HKEY_LOCAL_MACHINE\Software\Zone Labs]
[-HKEY_USERS\.DEFAULT\Software\Zone Labs]

----------------------------------------------------------------------

Paste the lines into Notepad.
Save as (All Files) removeza.reg.
Once saved double click removeza.reg and allow - accept the prompts for changes to be made.

Now REBOOT.

left drag mouse and select all in the box below for pasting.

Code:

@echo off
:: Cleanup ZA after install

cd\

rd /s /q "C:\Program Files\Zone Labs"
rd /s /q "C:\WINDOWS\Start Menu\Programs\Zone Labs"

attrib -h -s -r ZAMailSa*.* /s
attrib -h -s -r "zonealarm pro"*.* /s
attrib -h -s -r Zonelabs*.* /s
attrib -h -s -r "zone labs*.*" /s
attrib -h -s -r "Internet logs"*.* /s
attrib -h -s -r vsconfig.xml /s
attrib -h -s -r vsdata.dll /s
attrib -h -s -r vsdata95.vxd /s
attrib -h -s -r vsdatant.sys /s
attrib -h -s -r vsmon.* /s
attrib -h -s -r vsmonapi.dll /s
attrib -h -s -r vsnetutils.dll /s
attrib -h -s -r vspubapi.dll /s
attrib -h -s -r zaplus.* /s
attrib -h -s -r zapro.* /s
attrib -h -s -r zllictbl.dat /s
attrib -h -s -r zlparser.dll /s
attrib -h -s -r zonealarm.exe /s
attrib -h -s -r zoneband.dll /s
attrib -h -s -r vsutil.dll /s
attrib -h -s -r zlclient.* /s
attrib -h -s -r Zonelabs*.* /s


del ZAMailSa*.* /f /q
del "zonealarm pro"*.* /f /q
del Zonelabs*.* /f /q
del "zone labs*.*" /f /q
del "Internet logs*.*" /f /q
del vsconfig.xml /f /q
del vsdata.dll /f /q
del vsdata95.vxd /f /q
del vsdatant.sys /f /q
del vsmon.* /f /q
del vsmonapi.dll /f /q
del vsnetutils.dll /f /q
del vspubapi.dll /f /q
del zaplus.* /f /q
del zapro.* /f /q
del zllictbl.dat /f /q
del zlparser.dll /f /q
del zonealarm.exe /f /q
del zoneband.dll /f /q
del vsutil.dll /f /q
del zlclient.* /f /q
del Zonelabs*.* /f /q
del Zonelabs*.* /f /q


del "C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm Pro.lnk" /f /q
del C:\WINDOWS\SYSTEM\vsdata.dll /f /q
del C:\WINDOWS\SYSTEM\Vsdata95.vxd /f /q
del C:\WINDOWS\SYSTEM\vsdatant.sys /f /q 
del C:\WINDOWS\SYSTEM\vsmonapi.dll /f /q 
del C:\WINDOWS\SYSTEM\vspubapi.dll /f /q 
del C:\WINDOWS\SYSTEM\vsutil.dll /f /q 
del C:\WINDOWS\SYSTEM\zllictbl.dat /f /q 
del C:\WINDOWS\SYSTEM\zlparser.dll /f /q 
del C:\WINDOWS\SYSTEM\ZoneLabs\Migrate.dll /f /q 
del C:\WINDOWS\SYSTEM\ZoneLabs\vsdb.dll /f /q 
del C:\WINDOWS\SYSTEM\ZoneLabs\vsmon.exe /f /q 
del C:\WINDOWS\SYSTEM\ZoneLabs\vsruledb.dll /f /q 
del C:\WINDOWS\SYSTEM\ZoneLabs\minilog.exe /f /q 
del C:\WINDOWS\Internet Logs\IAMDB.RDB /f /q 
del "C:\WINDOWS\Internet Logs\W98-DHIGHT.ldb" /f /q 
del C:\WINDOWS\SYSTEM\ZoneLabs\html.tdr /f /q

reg delete HKEY_CLASSES_ROOT\ZAMailSafe
reg delete HKEY_CURRENT_USER\Software\Zone Labs
reg delete HKEY_LOCAL_MACHINE\Software\Zone Labs
reg delete HKEY_USERS\.DEFAULT\Software\Zone Labs
reg delete HKLM\System\ControlSet001\enum\Root\LEGACY_VSMON
reg delete HKLM\System\ControlSet001\enum\Root\LEGACY_VSDATANT
reg delete HKLM\System\ControlSet002\enum\Root\LEGACY_VSMON
reg delete HKLM\System\ControlSet002\enum\Root\LEGACY_VSDATANT
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VSDATA9

exit
exit

Once the above is selected the open a cmd prompt and paste to the black screen.

Run AutoRuns click the Everything Tab look down the column Publisher for anything not Microsoft delete any line referencing Zone alarm or Zonelabs.
----------------------------------------------------------------------------------------------------------------------------------
If you are paranoid do the following also.

D/L Regseeker http://www.hoverdesk.net/freeware.htm

Run it and select "Find in Registry" the following 1 at a time.
zonelabs
zone labs
zonealarm
zoneband
zlclient
zaplus
zapro
zamailsafe
zllictbl
zlparser
Internet logs
vsconfig
vsdata
vsmon
vsnetutils
vspubapi
vsutil

Then in Regseeker select Clean Registry and do a general Reg clean before rebooting.

And finally you will be clean of ZA.

Mike