Solved I need help with my 8-step program

Status
Not open for further replies.
Thanks for the reply - that was at about 3 am my time (what time is that for you?), it's now 8 am and I am off to the dentist today (Whee, NOT!) NO worries, I dont want to make extra work for you, I will re-install Reg Cure when we are done - I have my registry key printed out from when I re-upped so that should be no problem.

Should I reinstall Spybot S&D straight away? I will wait for your reply. I do not use Ad-Aware at all and don't like it: in fact I have been trying to eliminate it for a while but haven't had much luck. Actually, there are a few programs on my system that need to go - Ad-Aware, Clock Tray Skins, FreeAgent Go Tools AKA Ceedo (I don't have the software on that external drive anymore, it was wiped and reformatted and I just use it as a normal external backup drive), Clock Tray skins was really disappointing - all I wanted was a way to see the seconds counter on my System Tray Clock all the time; not to fancy it up with all sorts of weird fonts and stuff! Sigh! I really do need to overhaul all my installed stuff, but that falls outside the remit of "fixing the virus" and thus is probably something to tackle at another time.

Also - as far as I can find out Masterplan 7 is NOT installed to run at Startup - I don't use it often enough for that.
 
Give me a couple of hours and I'll set up the script to remove the programs you mentioned. They are:
Ad-Aware/AdWatch
Clock Tray Skins,
FreeAgent Go Tools AKA Ceedo


Most programs and apps can't be removed while running which may be why you couldn't remove them. there is a way around that.

Are you still having any malware related problems? What?
I'd like you to run HijackThis just to make sure there are no bad entries left.

Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I can remove what I see in Combofix, but you may have to check Add/remove Programs for uninstalls and remove the program folders using Windows explorer.

Hold off on Spybot S&D reinstall. As for Masterplan, if it keeps trying to install, then there has got to be some process for it starting up.
 
Hijack This Log File

Here you go Bobbye,

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:29:50 AM, on 06/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WakeMeUp\WMUSvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\WakeMeUp\WMUAgent.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WakeMeUp\WMUTray.exe
C:\Program Files\Sharp\Button Manager A\btnman.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.seagate.com/www/en-US/redirects/retail_news
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:80

80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;

172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;1

92.168.*;<local>
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO -

{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program

Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} -

C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber

Systems\AI RoboForm\roboform.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} -

C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} -

C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program

Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program

Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -

C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WMUAgent.exe] C:\Program Files\WakeMeUp\WMUAgent.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [autosaver.exe] "C:\Program Files\Autosave\Autosave.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [WMUTray.exe] C:\Program Files\WakeMeUp\WMUTray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User

'Default user')
O4 - Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org

3\program\quickstart.exe
O4 - Global Startup: Button Manager A.lnk = C:\Program Files\Sharp\Button Manager

A\btnman.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O8 - Extra context menu item: Add to &LinkFox -

res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Google Photos Screensa&ver -

res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay

Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) -

file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) -

file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhel

per.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}:

NameServer = 203.134.64.66,203.134.65.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9A7FD29-B4B4-4092-B3E5-6F847B25DC57}:

NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}:

NameServer = 203.134.64.66,203.134.65.66
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program

Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files\DU

Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) -

Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program

Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WakeMeUp! Service (svcWMU) - Highspheres.com - C:\Program

Files\WakeMeUp\WMUSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH -

C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - https://toolbox.iprimus.com.au/images/PrimusLogo.gif

--
End of file - 12548 bytes
 
I've been doing some test Google searching since I posted the Hijack This Log and have seen no redirect behaviour. Downloading is back to slow again tonight - I've checked the ISP and I am not speed limited this time. AVG stopped a Virus today! The Virus was Identified as Win32/Patched.ER in C:\WINDOWS\system32\drivers\sisperf.sys. It has been confined to the AVG virus vault - I've got no idea where it came from - I left the system running with firefox open on my facebook newsfeed while I went in the other room and when I came back the AVG notification was up on the screen. I don't know if it did any damage - at the moment all I can say is that everything seems to be working normally. I am going to bed now (2.05am), I'll check back in the morning for any news. TTFN, KK.
 
You have an antivirus program to protect the system. It's doing it's job.

I can't read the HijackThis log. Please open Notepad> go to Format> uncheck Word Wrap. Copy the HJT log to that and attach it in a new reply.

I won't get back to this tonight. I'll check the log, then have you remove the cleaning tools.
 
Sorry about that - here you go!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:29:50 AM, on 06/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WakeMeUp\WMUSvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\WakeMeUp\WMUAgent.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WakeMeUp\WMUTray.exe
C:\Program Files\Sharp\Button Manager A\btnman.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.seagate.com/www/en-US/redirects/retail_news
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WMUAgent.exe] C:\Program Files\WakeMeUp\WMUAgent.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [autosaver.exe] "C:\Program Files\Autosave\Autosave.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [WMUTray.exe] C:\Program Files\WakeMeUp\WMUTray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Button Manager A.lnk = C:\Program Files\Sharp\Button Manager A\btnman.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}: NameServer = 203.134.64.66,203.134.65.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9A7FD29-B4B4-4092-B3E5-6F847B25DC57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}: NameServer = 203.134.64.66,203.134.65.66
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WakeMeUp! Service (svcWMU) - Highspheres.com - C:\Program Files\WakeMeUp\WMUSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - https://toolbox.iprimus.com.au/images/PrimusLogo.gif

--
End of file - 12548 bytes
 
Thanks- that is much better. I am still uncertain about the way your ISP and the proxy is set up. I don't know that there is anything wrong with it- I just don't understand it. There are several entries:

1) Proxy Server is set:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.ip rimus.com.au:8080
Click to expand...
2) Then there is a ProxyOverride:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172 .20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28 .*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
Click to expand...
3) Then there are these 3 TCP/IP settings:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}: NameServer = 203.134.64.66,203.134.65.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9A7FD29-B4B4-4092-B3E5-6F847B25DC57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}: NameServer = 203.134.64.66,203.134.65.66
Click to expand...
------------------------------------------------
I mentioned this previously and you gave some info on your reply on Post #16, but you also said there may be 'old stuff' and that the ISP hadn't been very helpful. I am not going to attempt to remove or change any of these settings or entries.

You're using the iConnect Access 622 ADSL Modem via Ethernet from Primus. There should have been a CD for the configuration. If you do not have that, take a look HERE and see if this matches your setup.[/B]
==================================
Please reopen HijackThis to 'do system scan only.' Check each of the following if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O24 - Desktop Component 0: (no name) - https://toolbox.iprimus.com.au/images/PrimusLogo.gif

Close all Windows except HijackThis and click on "Fix Checked."

Click on Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> Delete anything in the 'Web Pages' box except your home page> check 'Lock Desktop Items'> OK> Apply> OK

Let me know how that goes. Then I'll have you remove the cleaning tools.
 
Quick Update: Haven't been able to work on this today, because I've been out and it's late (after midnight) I'll put in some time tomorrow and get the results posted for you for tomorrow night.
 
The only thing you need to do for me is remove those 3 or 4 entries in HJT. The rest is for you to refer to the ISP.
 
Status
Not open for further replies.

Similar threads

Tekman777
Problems with Windows Update and Defender
Replies
0
Views
498
Tekman777
Tekman777
D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
404
Fastturtle
F
N
Several popular Minecraft mods are infected with Fracturiser malware
Replies
0
Views
618
nanoguy
N

Latest posts

Back