Remove Incredfind

Discussion in 'adware, spyware & hijack cleaning' started by LindaLouise, May 22, 2004.

Thread Status:
Not open for further replies.
  1. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi,

    My computer has Incredfind on it. I see a file in my regit but I would not delete it because I don't understand it.

    I notice on Spyware Blaster tools there is a custom blocking. Could I add this IncrediFind? I see the form asks for CLSID. What is this & how would I find what I need to fill this out?

    Thanks for your help.

    Linda
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi LindaLouise :)

    Welcome to Wilders.

    If your computer is already infected with IncrediFind, it would be a good idea to follow the instructions here,

    https://www.wilderssecurity.com/showthread.php?t=15913

    then post your HijackThis log in this thread and the experts will give u recommendations on any Malware found.


    snowbound
     
  3. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi,

    Thank you for your help. I ran Ad-Aware & Spybot S&D. My problem is when I am trying to access certain sites I get the Incrdifind search page instead. These could be sites I have used & have bookmarked or sites I click on within a site. I clearly remember the first time I saw Incredifind. I was at a site for sewing machines, allbrands.net. I clicked a link & incredifind appeared.

    I have run Spybot a few times. The first time it removed articles that did not reappear. The other times I got DSO Exploit - followed underneath if I clicked the + box a number of entries that looked something like:

    HKEY_USERS\S-1-5- etc. etc. \softwarew\microsoft\current version\internet settings

    When I clicked the Regit symbol it opend the regit to values of AB1004.

    What I just described is not the exact description. I gave a general over view.

    Most appreciative,

    Linda

    Logfile of HijackThis v1.97.7
    Scan saved at 10:51:52 AM, on 5/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Linda Craig\Local Settings\Temporary Internet Files\Content.IE5\9O8F550T\hijackthis1977[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://investtalk.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://online.excite.com/att/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: Start AT&T Worldnet Accelerator.lnk = C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AnyWho (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1075740468789
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19bb2dfe7655266f4405/netzip/RdxIE601.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E61BF375-3CAF-46B9-B6F6-B598A942BAFB}: NameServer = 12.102.240.2 204.127.160.2
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi LindaLouise,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL

    O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19bb2dfe7655266f4405/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\Program Files\INCREDIFIND <= entire folder
    C:\WINDOWS\system32\pgtools <= entire folder
    C:\Program Files\Common Files\Dpi <= entire folder
    C:\WINDOWS\System32\internetfeatures.exe
    C:\WINDOWS\System32\iefeatures.exe

    Regards,

    Pieter
     
  5. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    Could you please give me instructions how to :

    "Before you start please unzip hijackthis.exe to a folder of it´s own. "

    I have attempted to accomplish this but it is not working. I've done a search & found a number of files. Opened a new file from My Documents. Sent the hijackthis.exe file to it. When I tried to open it I got a message that Windows can not open it & needs to know what program created it.

    Please advise.

    Regards,

    Linda
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  7. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    Thank you. I followed your link. I did have to use my System Restore because I was not able to use some sites I need. Therefore I ran the Hijackthis.exe again. I will post the results. If I am not told differently I will follow the instructions you posted prior.

    Thank you very much.

    Linda

    Logfile of HijackThis v1.97.7
    Scan saved at 8:15:34 PM, on 5/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Linda Craig\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://investtalk.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://online.excite.com/att/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: Start AT&T Worldnet Accelerator.lnk = C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AnyWho (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1075740468789
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19bb2dfe7655266f4405/netzip/RdxIE601.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E61BF375-3CAF-46B9-B6F6-B598A942BAFB}: NameServer = 204.127.160.1 12.102.240.1
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi LindaLouise,

    The advise stays the same. :)

    Regards,

    Pieter
     
  9. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    I've printed the instruction to start in safe mode. When I start in safe mode how will I go about getting to the files I need to delete?

    Thank you,

    Linda
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi LindaLouise,

    The easiest way would be to do that in Explorer: http://www.onecomputerguy.com/app_info/explorer.htm

    As an example:
    C:\Program Files\INCREDIFIND

    Open explorer by doubleclicking the My Computer icon
    Doubleclick C: (drive icon)
    Doubleclcik Program Files (folder icon)
    Rightclick Incredifind (folder icon) and select Delete

    Regards,

    Pieter
     
  11. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    I followed your instructions, deleting Incredifind folder from the safe mode. Now I will see what happens.

    Perhaps you could tell me how to stop the reoccurring notices that appear from Spy Bot. I need to use DoubleClick & Avenue A, Inc. I've gone to Spy Bot's site but have not been able to find information on how the set Syp Bot.

    Thank you so much for your help. Computers are very confusing when one does not understand how they work. You folks are very kind to be so helpful & generous sharing your time & knowledge.

    Regards,

    Linda
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  13. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    I don't want to block Double Click & Avenue A, Inc. I need them to do my work. What I want to stop is the warnings I get from Spy-Bot. Is there a way I can manage Spy-Bot so it ignores giving me warnings on Double Click & Avenue A, Inc?

    So far so good. Incredifind has not reapeared.


    Thank you.

    Regards,

    Linda
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I have to pass on that one. As far as I know you can have Spybot block silently, but not allow spyware without giving you notification.

    You would have to stop Immunization completely I'm afraid.

    Regards,

    Pieter
     
  15. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    Thank you for all your help. So far, so good. I am so happy to resolve this issue.

    I have McAfee anti-virus, Zone Alarm, Spyware Blaster, Ad-Aware, & Spy Bot installed. Do you believe this is appropriate?

    Regards,

    Linda
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  17. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi Pieter,

    No, I was not aware of these sites. I will read them. Again Pieter, thank you for your time & talent.

    I will check back in for an update.

    My best wishes,

    Linda
     
  18. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi,

    My update is I have had conflicts with the various softwares I installed. At one point my computer was not able to access internet pages apparently because I uninstalled Zone Alarm.

    I would get Page can not be displayed message. My provider figured the problem was I could not connect with tell net to any site using Port 80.

    I've worked around this by using the system restore a few times. I was then able to get to download.com & get Zone Alarm again & reinstall it. Now my computer has a bit more access yet some of the pages are not correct.

    During my time with tech support I was told the free versions of the programs to clear my problem put trackers & other software that can cause conflict.

    A program that was recommend is EZ Armor Security Suite.

    Also after all this fussing around I don't think my McAfee Virus Scan is working.

    I would appreciate any input as to what I might consider doing next.

    Thank you,

    Linda
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Linda, i'm no expert in this, but as far as i remember from the ancient times when i last had mcafee on my system: it doesn't accept any other av installed (althopugh i just put it on other partitions and none resident and not scanning with them when mcafee was resident) and it doesn't install well if the system is infected.
     
  20. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi,

    I did get a notice a file was corrupt & the installation did not seem to complete appropriately. I do not believe it is working.

    Linda
     
  21. LindaLouise

    LindaLouise Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Hi,

    I installed AVG anti-virus system because McAfee was not working. I also installed Zone Alarm. Does it make sense that my conflict was because of Spy-Bot? That seemed to be the issue. My computer seems stable now without the Spy-Bot. Perhaps I have too many protective programs installed.

    Thank you,

    Linda
     
Thread Status:
Not open for further replies.