thanks Genie

So i will have ie and firefox clear cookies. that should do it right

central24 is a SpyBot false positve..

http://66.102.7.104/search?q=cache:t...u&ct=clnk&cd=4

These two have been removed so I cant see why they are showing up.Never seen that before.

securityrisks
smithfraud C

I also noticed that you had TeaTimer running before.This may have prevented some of the changes and that is why these are still showing.


I dont think it will help but lets remove these from the registry

Copy and paste all this from within the box into Notebook then go to FILE and SAVE AS. "All Files" must be selected in the "Save as Type" box. In that box type Fix.reg and save it to your Desktop.Double click to merge it to the registry

About a year back I had run hijackthis, spybot and adaware because my computer had an infection. It has been showing up since then. It seems to have 'immunized' it against further attacks. I havent had any pop ups before this one last week (which is fixed thanks only to your generous help).

If it resides in the system and wont do harm, I have nothing against it.

Is it harmless in that case. Do I need to post a hijackthois log. will it help Pancake

You have got to be correct because on following the instrcutions at http://russelltexas.com/malware/teatimer.htm to disable the tea timer (i follwed it) i still did not get the allow change window. interestingly since the computer has been 'fixed' I dont get that window anymore for any new thing i add. this is inspite of the fact that earlier if i changed anything it would prompt me to allow the change.

should i repeat the cleaning process all over again. i can do it if it is ok with u

No, the infection is dead.Its just picking up a leftover file from somewhere.Just out of interest you could do this for me just to see that there is nothing hidden....

Download SILENT RUNNERS to a new folder,... Unzip if Zipped, and run the Silent Runners.vbs file.
Open the "Startup Programs.txt" file it creates, and copy/paste the contents to this post, please.
The "Startup Programs.txt" file will be in the folder you ran the "Silent Runners.vbs" file from.

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"getmail" = ""C:\Program Files\PaulB\GetHotmail\GetMail\GetMail.exe"" [file not found]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"PcSync" = "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" ["Time Information Services Ltd."]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"WUSB54Gv2" = "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [null data]
"sunasDTServ" = "C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe" [file not found]
"(Default)" = (empty string)
"sunasServ" = "C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe" [file not found]
"pdfSaver3" = (empty string)
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" ["Nokia"]
"DataLayer" = "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" ["Nokia Mobile Phones Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]