Tech Support Guy banner
Cancel

Need help removing adware

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 6 of 6 Posts
E

· Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
I'm having a very difficult time getting rid of some adware that is resulting in a ton of popups telling me that my computer may be infected with spyware. I've downloaded and run Ad-Aware, Spybot, CWShredder, and Spy Subtract to no avail. Any help would be appreciated. Here is my most recent Hijack This log.

Logfile of HijackThis v1.99.0
Scan saved at 10:41:09 PM, on 01/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINDOWS\system32\fds\fasmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\fds\navupdts.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\Callisto Software\Orbiter Client\OrbClient.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Callisto Software\Orbiter Client\OrbMsgQueue.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\ayscl.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\trkexec.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\amy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
O4 - HKLM\..\Run: [Orbiter Message Queue] "C:\Program Files\Callisto Software\Orbiter Client\OrbMsgQueue.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [xidcTmIN] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [xidcTmú"ü‰üžigÝY] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtro32.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]*ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [K029RgMtW] trkexec.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\Software\..\Telephony: DomainName = fmr.com
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CyberGatekeeper Agent - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FASM Server - Unknown - C:\WINDOWS\system32\fds\fasmsvc.exe
O23 - Service: NAVUpdater - Fidelity Investments, fisg - TSG - C:\WINDOWS\system32\fds\navupdts.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Callisto Software Orbiter Client - Callisto Software®, Inc. - C:\Program Files\Callisto Software\Orbiter Client\OrbClient.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
M

· Registered
Joined
·
49,013 Posts
#2 ·
http://securityresponse.symantec.com/avcenter/FxIstbar.exe

DL location for a removal tool

Note: from Symantec

Note:

* The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
* The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
* The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
* The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
These can be manually deleted using the following steps:
1. Start Internet Explorer.
2. Click Tools > Internet Options.
3. In the Temporary Internet Files section, then click the Delete Files button.
4. Check Delete all offline content, and then click OK.

After running it boot and post a new log
 
E

· Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Okay. Ran the Symentec Program as well as Ad-Aware and Spybot at startup. Here's the new log. I haven't encountered any problems yet, although sometimes they seem to take a while to kick in.

Logfile of HijackThis v1.99.0
Scan saved at 1:22:52 PM, on 01/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINDOWS\system32\fds\fasmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\fds\navupdts.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Callisto Software\Orbiter Client\OrbClient.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Callisto Software\Orbiter Client\OrbMsgQueue.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\ayscl.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\trkexec.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\amy\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html
O4 - HKLM\..\Run: [Orbiter Message Queue] "C:\Program Files\Callisto Software\Orbiter Client\OrbMsgQueue.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [xidcTmIN] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [xidcTmú"ü‰üžigÝY] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]*ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HKCU] C:\WINDOWS\system32\cmd.exe /C Start "HKCU Updates" /MIN "C:\Program Files\current profile updates\hkcu.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [K029RgMtW] trkexec.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\Software\..\Telephony: DomainName = fmr.com
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CyberGatekeeper Agent - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FASM Server - Unknown - C:\WINDOWS\system32\fds\fasmsvc.exe
O23 - Service: NAVUpdater - Fidelity Investments, fisg - TSG - C:\WINDOWS\system32\fds\navupdts.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Callisto Software Orbiter Client - Callisto Software®, Inc. - C:\Program Files\Callisto Software\Orbiter Client\OrbClient.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
M

· Registered
Joined
·
49,013 Posts
#4 ·
Print this out then boot to safe mode

Fix these entries

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rootsearch.biz/search.html

O4 - HKLM\..\Run: [xidcTmIN] C:\WINDOWS\ayscl.exe

O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe

O4 - HKLM\..\Run: [xidcTmú" ü‰üžigÝY ] C:\WINDOWS\ayscl.exe

O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁz î[ 8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe

O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú" ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe

O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]*ú" ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe

O4 - HKLM\..\Run: [HKCU] C:\WINDOWS\system32\cmd.exe /C Start "HKCU Updates" /MIN "C:\Program Files\current profile updates\hkcu.exe"

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKCU\..\Run: [K029RgMtW] trkexec.exe

O23 - Service: FASM Server - Unknown - C:\WINDOWS\system32\fds\fasmsvc.exe

O23 - Service: NAVUpdater - Fidelity Investments, fisg - TSG - C:\WINDOWS\system32\fds\navupdts.exe

Delete this file

C:\WINDOWS\ayscl.exe

And this folder
C:\Program Files\ISTsvc

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin

Post a new log
 
E

· Registered
Joined
·
7 Posts
Discussion Starter · #5 ·
Okay, I did everything and created a new log. It looks like a couple of the ayscl.exe files are still there though...

Logfile of HijackThis v1.99.0
Scan saved at 12:12:57 PM, on 01/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Callisto Software\Orbiter Client\OrbClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Callisto Software\Orbiter Client\OrbMsgQueue.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\amy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O4 - HKLM\..\Run: [Orbiter Message Queue] "C:\Program Files\Callisto Software\Orbiter Client\OrbMsgQueue.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]*ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\Software\..\Telephony: DomainName = fmr.com
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CyberGatekeeper Agent - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Callisto Software Orbiter Client - Callisto Software®, Inc. - C:\Program Files\Callisto Software\Orbiter Client\OrbClient.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
M

· Registered
Joined
·
49,013 Posts
#6 ·
Print this out
Boot to safe mode

run the SYmantec fix again

Fix these

O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]*ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ayscl.exe

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete this file

C:\WINDOWS\ayscl.exe

And this folder
C:\Program Files\ISTsvc

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
 
1 - 6 of 6 Posts
Status
Not open for further replies.
About this Discussion
5 Replies
2 Participants
Last post:
MFDnNC
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top