Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:02pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   RunOnce Entry Reloads and Runs Forever! 2nd 		« Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: RunOnce Entry Reloads and Runs Forever! 2nd  (Read 568 times)
panura
Newbie
*





   


Posts: 5
RunOnce Entry Reloads and Runs Forever! 2nd
« on: Oct 17th, 2006, 9:31pm »		 Quote Quote  Modify Modify
 =Re-submiited=
I must have several different spyware and trojan solutions installed and I always or frequently use them.
 
For instance,
SpyBot S&D, AVG, Ewido!, XoftSpySE,  SE Adware SEPlus, TrojanHunter (just tried today)
 
Still I'm having a Problem.
 
There’s an  item that appears and reappears that concerns me because I haven’t seen it before.  No matter what I do to disable or remove this entry, it comes right back.  Ad-Watch Monitoring shows it immediately resurfaces as soon as I try to disable or remove it, often followed by ctfmon.exe
 
If I ignore these two for a while and follow up with XoftSpySE, as I always do, before signing off or hibernating, then any combination of Hi Risk stuff, often in large numbers show up (only with XoftSpySE).
 
Most recently I removed : (7)-Real Spy, (2) MediaMotor and (1) New Dial.  I’m now compelled to do this several times a day!
 
Below I provide: 1. AutoRun Entries,    2. a recent Hijack log.  (partial in reply to posted instructions).
 
What . . . to doHuh??
 
Thanks Al F.
 
1. Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
 
InstallShieldSetup = C:\PROGRA~1\INSTAL~1\{C4F1A~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{C4F1A~1\reboot.ini  -l0x9
 
 
2. Partial Logfile of HijackThis v1.99.1
Scan saved at 10:17:28 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Owner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Temporary Inbox - {F05F3153-08B2-44A6-8A0B-132011E28F21} - C:\Program Files\Temporary Inbox\untitled.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{C4F1A~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{C4F1A~1\reboot.ini  -l0x9
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Brother Control] C:\Program Files\Brother\ControlCenter2\brctrcen.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Start Mailloop 7.lnk = C:\Program Files\The Internet Marketing Center\Mailloop 7\ML7.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: ePad995.lnk = C:\Program Files\ePad995\ePad995.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\A
 
The TEXT flash was removed from this post because it was causing IE to want to download ActiveX.
 
 
 
« Last Edit: Oct 18th, 2006, 4:16am by panura » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: RunOnce Entry Reloads and Runs Forever!
« Reply #1 on: Oct 17th, 2006, 11:54pm »		 Quote Quote  Modify Modify
Welcome to the forum panura,  Cheesy
 
You apparently have a long HJT log.  Please break the log into 2 posts so that we can examine the entire log.  
 
There is a post length restriction on this forum that is causing it to clip off part of your HJT log.  
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #2 on: Oct 18th, 2006, 4:28am »		 Quote Quote  Modify Modify
Also, I refer you to the forum below where a user has experienced the very same problem that you have with the reboot.ini.  It appears to be an old problem with InstallShield.
 
http://community.installshield.com/showthread.php?t=107493
 
I recommend that you join the above forum and see if the professionals there can resolve this specific issue for you concerning the:
 
Quote:
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{C4F1A~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{C4F1A~1\reboot.ini  -l0x9  
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #3 on: Oct 18th, 2006, 4:45am »		 Quote Quote  Modify Modify
Another thing you may wish to try is:
 
1.  Be sure Ad-Watch and SpyBot are set to NOT block changes to your startup registry entries.  You have to be sure that you disable these features within Ad-Watch and SpyBot.  Just stopping the programs themselves will not stop the startup registry guarding logic.
 
2.  Run a HJT scan.
 
Place a checkmark in the box next to the entry below.  Be sure it is the only box checked.
 
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{C4F1A~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{C4F1A~1\reboot.ini  -l0x9
 
3.  At the bottom left of the HJT window, click on Fix Checked and then confirm that you want this item fixed.
 
4.  After the fix is completed, close HJT and reboot your computer.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
panura
Newbie
*





   


Posts: 5
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #4 on: Oct 18th, 2006, 7:31am »		 Quote Quote  Modify Modify
Roll Eyes  Thanks for your advice, Siliconman.
 
However:
Ad Watch is set OK.
I cannot delete this 04 Entry in HijackThis
 
It just appeared twice (first time) in SpyBot S&D Startup.
When I deleted both , closed out S&D, then re-opened it. . . the same 04 Item reappears.  It says I blacklisted it!  But I didn't.  
The TeaTimer selection never appeared for it
 
In addition something keeps turning off TeaTimer.
 
Awhile ago I was on the net checking stock prices.  When I closed out Firefox, my desktop folders were scrambled!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #5 on: Oct 18th, 2006, 8:10am »		 Quote Quote  Modify Modify
Please update the rulesets on your Trial version of TrojanHunter to the lateset rulesets.  To do this, refer to this link:
 
http://www.misec.net/trojanhunter/updating/
 
Note: When you are extracting the new rulesets into the RulesFile folder, let it overwrite what is already there.
 
Open TH scanner and select the Options icon on the left side.  Checkmark every option except the very last one which is to log files with double extensions.  Close TH scanner.
 
Then reboot your computer into SAFE MODE.  
 
Run a FULL Scan with TH scanner and let it quarantine what it finds.
 
Reboot into normal mode.
 
Post the log file from the TH scan/cleaning.
 
Post a New and complete HJT scan log.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
panura
Newbie
*





   


Posts: 5
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #6 on: Oct 18th, 2006, 11:05pm »		 Quote Quote  Modify Modify
Siliconman.
 
Just a note.  Yesterday I also emptied Prevetch folder to get rid of RunOnce items.  Didn't work.
 
Did follow your suggestions earlier today..  
 
Is it possible to send log as an attachment
because I can't send at one time. Trojan Log is huge..  
Final result: No Trojans.  Curiously, the 04 Item is gone!.
 
Logfile of HijackThis v1.99.1
Scan saved at 4:27:11 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\Safer Haven\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Owner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Brother Control] C:\Program Files\Brother\ControlCenter2\brctrcen.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Safenotes - {45DB34C3-955C-11D3-ABEF-444553540002} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O9 - Extra 'Tools' menuitem: Safenotes Editor - {45DB34C3-955C-11D3-ABEF-444553540002} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O9 - Extra butto
IP Logged
panura
Newbie
*





   


Posts: 5
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #7 on: Oct 18th, 2006, 11:06pm »		 Quote Quote  Modify Modify
Siliconman.
 
Just a note.  Yesterday I also emptied Prevetch folder to get rid of RunOnce items.  Didn't work.
 
Did follow your suggestions earlier today..  
 
Is it possible to send log as an attachment
because I can't send at one time. Trojan Log is huge..  
Final result: No Trojans.  Curiously, the 04 Item is gone!.
 
Logfile of HijackThis v1.99.1
Scan saved at 4:27:11 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\Safer Haven\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Owner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Brother Control] C:\Program Files\Brother\ControlCenter2\brctrcen.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra button: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra 'Tools' menuitem: Logoff - {320AF880-6646-11D3-ABEE-C5DBF3571F55} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComLogoff.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: Safenotes - {45DB34C3-955C-11D3-ABEF-444553540002} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O9 - Extra 'Tools' menuitem: Safenotes Editor - {45DB34C3-955C-11D3-ABEF-444553540002} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O9 - Extra butto
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: RunOnce Entry Reloads and Runs Forever! 2nd
« Reply #8 on: Oct 19th, 2006, 2:22am »		 Quote Quote  Modify Modify
Very glad to hear that the reboot.ini 04 entry is gone.  I "suspect" that rebooting into SAFE MODE allowed it to do whatever the InstallShieldSetup needed to do.  Thus the RunOnce entry completed its work and no longer should appear.  Wink
 
Your HJT scan log is still getting clipped off.  In order to check thoroughly for possible infections, we need to see the ENTIRE HJT scan log.  Please break the log into 2 parts and post each part separately.  
 
Concerning the very long scan log with TrojanHunter, here's what I suspect is needed in order to make future scans more "readible".  Unfortunately this forum does not permit attachments.  
 
1.  You probably have several log items concerning Alternate Data Streams (ADS) being present.  After the TH scan completes, click on "Delete ADS stream" for each of these files and then confirm that you want to delete the stream.  This will permanently delete the ADS stream attached to that file- an action which should be done because ADS streams are places where malicious items can hide.  Once you do the delete, the file message will no longer appear in future TH scans.
 
2.  I suspect that you are getting a lot of items that are associated with the locked quarantine folder of SpyBot S&D.  TH cannot unlock these files...which is normal.  You can stop TH from scanning this folder and generating these log messages by:
 
-  Open TH scanner.
-  Click on the SCAN icon on the left side bar.
-  Locate your C: hard drive in the list of items to be scanned and click on the + sign to expand it.
-  Click on the + sign next Documents and Settings and drill on down until you find the SpyBot quarantine folder.  Uncheck that folder.  TH will no longer scan that unchecked folder.    
 
Again, please break your HJT into two separate posts so that I can take a look at the entire log.  Wink
 
BTW, you should update your ewido 4.0 to the latest version of this program which is AVG 7.5 Antispyware V7.5.0.50.  Several bugs are fixed in this new version.
« Last Edit: Oct 19th, 2006, 2:28am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register