Warning! S Detected On Your Computer.............help!!!

Whenever I boot up my pc this message (Warning! Spyware Detected On Your Computer Install Anti Virus Or Spyware Remover To Clean Your Computer) on my desktop and won't go away. I ran Hijack This and here is the log file:

What can I do to get rid of this?????

 

Ran an Adaware scan and then ran Hijack This again and here is the latest logfile:

Hope somebody can help me

 

Hi blueduke,

Click on start >>control panel>>add remove programs
click on the following programs

BrowsingEnhancer

and click on remove


Fix these entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still exist):


O2 - BHO: BrowsingEnhancer - {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8} - C:\Program Files\BrowsingEnhancer\BrowsingEnhancer-2.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Click the Fix checked button..


Close HijackThis and reboot.




Please download => ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install => SUPERAntiSpyware Free
• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)[/i]
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.


Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Reboot to Normal Mode

Please post a fresh HijackThis log and the SuperAntispyware Log in your next reply and tell us if you still have problems.

2OG

 

hello

I think you have a vundo. But thanks. I have copied your hujackthis log. You help me a lot in my research thanks again.

 

2oldGeek.............It's still there. Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2008 at 00:53 AM

Application Version : 4.15.1000

Core Rules Database Version : 3486
Trace Rules Database Version: 1477

Scan type : Complete Scan
Total Scan Time : 01:44:21

Memory items scanned : 151
Memory threats detected : 0
Registry items scanned : 6316
Registry threats detected : 10
File items scanned : 68333
File threats detected : 1

Trojan.Unclassified/SmartEnhancer-J
HKLM\Software\Classes\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}#AppID
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\InprocServer32
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\InprocServer32#ThreadingModel
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\ProgID
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\Programmable
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\TypeLib
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\VersionIndependentProgID
C:\PROGRAM FILES\BROWSINGENHANCER\BROWSINGENHANCER-2.DLL

HiJack This log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:36 AM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176600440109
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8543 bytes

Something interesting: on the desktop there is a shortcut for a program called"Ad-Watch". It has a shield for a logo and whnever I sut down XP the box where you choose Shutdown or Restart the same shield is over the Shutdown option. I went into control panel to remove this program and it isn't there. I started to delete the shortcut and was notified it would only delete the shortcut but not the program and was instructed to go into Add\Remove programs in control panel to remove it but as I said it isn't there

 

Hi blueduke,

Yeah, you got a Trojan.

I am at work and limited on what I can do on this computer….

Download and run SDFix.exe (google it)

Then post a log from sdfix.. Your HJT log really doesn’t show this Trojan.

The Ad-Watch is part of the Newer AdAware.. I never use it myself.

Give SDFix a go and see what it does..

2OG

 

Hey blueduke,

Now that I’m home I’ll repost…

Download SDFix and save it to your Desktop.
• Run the SDFix.exe by double clicking on it.
• Allow it to install into the default location which is normally c:\SDFix

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

• When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Attach the Report.txt file to your next message.

Rerun SuperAntiSpyware in the Safe Mode and post the log along with Report.txt.

2OG

 

2oldGeek...........still have that darn thing. here are the logs you requested:

Any more suggestions? Thanks so much for your help thus far. I really appreciate it

 

Forgot to post the latest Hijack This log file:

 

Hey 2oldgeek, just wanted to post some ideas and advice. Hope that's not interrupting anything

Hi blueduke. It seems that you have one of those newer rogue antimalware program. This might render some older removal tools useless, but it's worth a try anyways.

It will seem that you will not be able to boot into safe mode. Try it anyways. If it works, proceed with all of the scans mentioned below in safe mode. If not, normal mode will be just fine.

First, download Smitfraudfix and run it. Post a log here.

Secondly, follow Ltangel's instructions on downloading and running Combofix in this thread: http://forums.afterdawn.com/thread_view.cfm/639221 Post the log here.

Third, download A-squared Free. Update it, and scan your computer with it. Do not remove anything, only post the scan log here.

Best Regards

 

Hey cdavfrew, normally when I get advice, it Costs me. LOL
The ideas run in the same channel as mine..

blueduke, please do what cdavfrew suggested and describe your symptoms a little more so we may be able to pin it down.. Thanks

Hang in there, blueduke… This too shall pass.


2OG

 

Performed the scans you guys suggested and here are the reports:

Some scary stuff here. What should I do next?

 

Quick update:

The "Warning! Spyware Detected On Your Computer....." box is off my desktop.

Went ahead and quarantined the items found in the asquareed scan. Haven't deleted them yet. Just waiting on further instructions. 2oldGeek and cdavfrew. I thank you so much for your patience as well as your suggestions

 

Hey blueduke,

Just saw your post as I was about to head out for work. Probably won’t get a chance to look at it until Sunday. Maybe cdavfrew will be by later…

I think maybe you’ve made a dent in it,, hehe

Later,
2OG

 

Hey blueduke.

I only managed a very quick look over your logs. It seems that we have indeed put a dent in your malware, but A-squared also detected a whole lot of legitimate stuff on your computer, which was why I recommended not removing anything for fear of it being legitimate and safe. Please look over the log, and restore anything you know is safe. Post what you have restored here. I do not have the time to look over it carefully, so you have to do that yourself.

I will also recommend posting the contents of C:\Windows\system32\tmp.reg. Open it in Notepad, and paste the contents here. Also, what is C:\Windows\system32\phclrej0ep6p.bmp? Is a picture you know about? If not, delete it.

Best Regards

Edit: Now I'm back. Let's have a look at that a2 log of yours. Please note not to remove anything, only restore what I tell you to and leave the rest in quarantine. Also, if I tell you to check it on www.virustotal.com, please post the results here first before taking the action necessary.

This is Kazaa, which is generally known as one of the more "bad" p2p clients, and is a program definitely needed to be removed. Please uninstall Kazaa from your computer if it is there. Also leave this entry in the quarantine.
Key: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\software\kazaa detected: Trace.Registry.KaZaA

This is The Weather Channel FW. If you know and use this program, ignore these entries.
c:\program files\the weather channel fw detected: Trace.Directory.Desktop Weather
c:\program files\the weather channel fw\desktop weather detected: Trace.Directory.Desktop Weather
c:\program files\the weather channel fw\desktop weather\desktopweather.exe detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\eula.html detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\install.log detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\theweatherchannelcustomuninstall.exe detected: Trace.File.Desktop Weather
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Weather Channel Desktop --> DisplayName detected: Trace.Registry.Desktop Weather
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Weather Channel Desktop --> UninstallString detected: Trace.Registry.Desktop Weather

DivoCodec is known as malware posing as a video codec. Please leave these entries in the quarantine, and restore them only if you experience any problems with video files. Also, uninstall DivoCodec from your computer.
Value: HKEY_CLASSES_ROOT\Media Type\Extensions\.avi --> Source Filter detected: Trace.Registry.DivoCodec
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Media Type\Extensions\.avi --> Source Filter detected: Trace.Registry.DivoCodec

While researching both ErrorSmart and RegistrySmart, I receive very conflicting results. It is advisable to leave these entries in the quarantine unless you know and use ErrorSmart and RegistrySmart. Please check on www.virustotal.com on whether or not it is detected as malware, and uninstall both these programs if it is. Also, it is not recommended to run registry cleaners, which both of these programs are, because it has no noticeable benefit on the system and has a great possibility of even crashing the system when used wrongly.
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\372450BD3522B904AA8D4923C8DCEBF0 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\473D1B29F95B96241830B6A6ADE19368 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5A144BD76064D1645B6E74C0734EE406 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\965DCC82BC551DF439B28676F8AB79E0 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCF26265A8C1F104A88C5E4B28BEAED2 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\Features --> OptimizerApplication detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> AuthorizedCDFPrefix detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Comments detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Contact detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> DisplayName detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> DisplayVersion detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> EstimatedSize detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> HelpLink detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> HelpTelephone detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallDate detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallLocation detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallSource detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Language detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> LocalPackage detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> ModifyPath detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> NoModify detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Publisher detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Readme detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Size detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> UninstallString detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> URLInfoAbout detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> URLUpdateInfo detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Version detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> VersionMajor detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> VersionMinor detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> WindowsInstaller detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\Patches --> AllPatches detected: Trace.Registry.ErrorSmart
c:\documents and settings\owner\application data\registrysmart detected: Trace.Directory.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckAppPaths detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckComReg detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckDrivers detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckFileAss detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckFonts detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckHelpDiles detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckHistory detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckServices detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckSharedFiles detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckShortcuts detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckSounds detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckStartup detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckUninstall detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckUser detected: Trace.Registry.RegistrySmart

You may leave all these entries in the quarantine.
C:\Documents and Settings\owner\Cookies\owner@2o7[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@fastclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@media.adrevolver[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@media.adrevolver[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@questionmarket[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:15 detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:16 detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:17 detected: Trace.TrackingCookie
C:\Config.Msi\c031b.rbf detected: Riskware.FraudTool.Win32.AntiSpywareBot.bd
C:\Config.Msi\c031c.rbf detected: Riskware.FraudTool.Win32.AntiSpywareBot.ac

Restore these entries, as these are part of SDFix and Smitfraudfix, and the commands within both programs may be detected by some antimalware.
C:\Documents and Settings\owner\Application Data\Yahoo!\Mail\attach\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f

Please restore both entries, and upload these files to www.virustotal.com to check if they are malware. If they are, uninstall both programs immediately.
C:\Program Files\DIGStream\digstream.exe detected: Riskware.Downloader.Win32.DigStream
C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeContentHost.dll detected: Trojan-Downloader.Win32.Zlob.meq

Restore these.
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20

You might want to flush your system restore points, as it seems that they are already infected. It is recommended to do so. Also, leave these files in the quarantine, if they have indeed quarantined sucessfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011070.exe detected: Trojan.Win32.Obfuscated.lr
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011076.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011077.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011078.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011083.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0013729.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018003.dll detected: Riskware.FraudTool.Win32.SpywareStop.b
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018004.dll detected: Riskware.FraudTool.Win32.AntiSpywareBot.bk
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018005.dll detected: Riskware.FraudTool.Win32.AntiSpywareBot.ai
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018044.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0020060.dll detected: Adware.Win32.Agent.atx
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP24\A0026239.exe detected: Riskware.RiskTool.Win32.Processor.20

 

Also, please remove the registry entry [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware] using regedit.

 

Hey blueduke,

Well looks like cdavfrew got to you first.. I’m fairly new to A-Squared so it’s taking me longer…. Lol
Just do what he says and I think you’ll see a difference…….

Cdavfrew, I’ll send you a copy of my A-Squared report for your analysis… I think I have one line detected and it’s a game from e-machine he he

2OG

 

cdavfrew............did all you suggested but have some questions:

1. I do I uninstall Divocodec? Can't find it in add\remove programs (I'm not very computer savvy which by now you and 2oldgeek know is obvious)

2. Did a search for the file C:\Windows32\phclrej0cp6p.bmp and can't find it. I have no clue what this picture would be

3. Tried removing the file through regedit you suggested (HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware) but keep getting this error:
application failed to initialize properly (0xc0000005) click ok to terminate application. Have I messed up my registry?

4. How do I get the time and date in lower right of screen to display time normally? It's currently in military time and tried to change it back via control panel but when I click "Apply" after changes it still will not change.

Thanks again for all the time you two guys have spent helping me

 

Almost forgot:

Here's the contents of the file you wanted me to copy in notepad (C:\Windows\system32\tmp.reg):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Support audio cool poll"="C:\\Documents and Settings\\All Users\\Application Data\\INTERNET SPAM SUPPORT AUDIO\\dvd rect.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""

 

Forgot something else...........when you say "flush system restore", how is this process preformed?