A little help needed, please

Uninstall the "search assistant" in control panel - add/remove programs.

Also run spybot search and destroy.
[Message Edited]

Search assistant is not in the Add/Remove list, so cannot uninstall

Also as I have said above I have used three Spyware catchers these are:-
Spybot
Adaware
Spy Sweeper

Plus an Online scan at the Symantec website, I have also done a complete virus scan, also used HiJackThis

But thanks anyway




[Message Edited]

Stumpy, try Hijack this.  Make sure to post it to a forum where there are experts who can help you.  It can be get a little confusing, but the people at the forums really know a lot.
[Message Edited]

http://www.spy-bot.net/IGetNet.asp

hopefully that will get you on your way.

OOPS... I see you did that already. 

We need YRAG! or IP.

I would suggest going on the microsoft website they cover many of the problems you encouter when using windows XP.

http://www.microsoft.com

Stumpy
Go here
http://www.spywareinfo.com/~merijn/downloads.html
and get the StartUpList utility.
It won't remove anything, but it will show everything that starts when you boot up and where it is being started from

Ok, checkedd the options you have given

the window to My Documents still appears on startup

Search Assistant is still in the Right-Click menu of the Taskbar (does not appear on Restart only On a New Boot).

All spyware programs have been re-run all clear, registry has been searched and cleared of any dodgy entries.

Cannot find any place where the Taskbar Toolbars are kept

Thanks for the help you have given, if anyone can think of anything more it would be appreciated, thanks




[Message Edited]

Stumpy, if you click on the search toolbar, to what page does it take you? From the research I did just a few minutes ago, it seems there are two adware toolbars called 'Search Assistant', one by Blazefind.com, and one by lop.com. They also seem to be real devils to remove by all accounts. But from what I've found so far, they need to be treated differently so you need to know which version you have.

Stumpy, if you've run hijack this, you might want to check this thread to see if anything looks familiar: http://www.wilderssecurity.com/showthread.php?t=34589&goto=nextnewest

Shameless, clicking the Search takes me to Blazefind.com

http://sarc.com/avcenter/venc/data/adware.blazefind.html

 

There are also manual instructions for removing it here: http://www.securemost.com/articles/trou_3_remove_ie_searchbar.htm

If you have Norton's, I would use Koasati's link first, otherwise, the link I'm giving has a more complete list of the dll's and reg entries to remove it manually. The link I gave also indicates that Pest Patrol now has blazefinder on it's update list, so that might be a good way to go also. Pest Patrol is a very good spyware remover. Good luck.



[Message Edited]

Ok, thanks guys, I followed the instruction and the Search Assistant does not appear on Taskbar (but is still in the Right-click menu of the Taskbar)

Now there is still the problem of the "My Documents" window opening on startup

Any ideas guys & gals

Delete or move the folder...reboot and make a new my documents folder

Ok tried that, didn't work, what actually happens is this when window desktop appears a window opens (Explorer window) at the "My Documents" which resides at the bottom of the treeview list on the laft hand side and I have to close it manually

This has only started happening recently, never did before (there is no icon on the desktop, it is switched off in the Display Properties)

It's really bugging me now

if you have a recent registry backup, before these strange things, i would reload it... you miht have to reinstall recent programs but i think it could be a registry entry. if it's not a wayward shortcut, a malfunctioning dll, or a mis-printed start up option, it looks like something was tweaked deeper down. i just fixed a friend's machine of spyware, and his system32 folder stopped opening on startup. dispite the precautions you've taken, and the scans, something slipped through and altered something, and may still be there. it could, perhaps, be related to Office malfunctioning, as well.. that would also be fixed by a registry reload

Stumpy
Did you run the StartUpList utility?

If so, can you post the results?

http://www.doxdesk.com/parasite/


I dunno if it'll help but it's worth a shot, and only takes a minute.

StartupList was ran, everything in it I know, ther is nothing there that would cause this particular prob, the main problem (Search Assistant) was rectified, thanks,

I will run it again and post the results here.

Here goes, I hope some can see something I missed

StartupList report, 23/06/2004, 06:18:31 PM
StartupList version: 1.52
Started from : D:\Temp\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\logitech\MouseWare\system\em_exec.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\My Program Files\EmailBook\EmailBook.exe
C:\Program Files\WindowsSA\omniscient.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Stardock\CursorXP\CursorXP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
D:\Utility Programs\EasyNoterPro\easynoter.exe
D:\Utility Programs\KeySound\Nkboard.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\Rainlendar\Rainlendar.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Stardock\sdcentral.exe
D:\Temp\StartupList.exe



Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Dennis Hallman\Start Menu\Programs\Startup]
Nkboard.lnk = D:\Utility Programs\KeySound\Nkboard.exe
SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE



Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,



Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

1A:Stardock TrayMonitor = "C:\Program Files\Common Files\Stardock\TrayServer.exe"
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Logitech Utility = Logi_MwX.Exe
LogonStudio = "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
EmailBook = D:\My Program Files\EmailBook\EmailBook.exe
Windows SA = C:\Program Files\WindowsSA\omniscient.exe
SysMetrix = D:\Program Files\SysMetrix\SysMetrix.exe
jopa = C:\WINDOWS\System32\sysstartup.exe
BootSkin Startup Jobs = "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC = D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC = D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Outpost Firewall = D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit



Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

FAXPrint = C:\WINDOWS\System32\awadpr32.exe /AM



Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CursorXP = D:\Program Files\Stardock\CursorXP\CursorXP.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
jopa = C:\WINDOWS\System32\sysstartup.exe
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
Art Plus EasyNoter PRO 3.7 = "D:\Utility Programs\EasyNoterPro\easynoter.exe" /a



Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll



Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\YU-GI-OH.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*




Enumerating Browser Helper Objects:

SpywareGuard Download Protection - D:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - c:\windows\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}



Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Uninstall Expiration Reminder.job



Enumerating Download Program Files:

[CoDetectDigitalRiver Class]
CODEBASE = http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.com/download/xclean_micro.exe

[DASWebDownload Class]
InProcServer32 = C:\WINDOWS\DASAct.dll
CODEBASE = http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R824/V31Controls/x86/w98/en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[IMDownloader Class]
CODEBASE = http://www2.incredimail.com/contents/setup/downloader/imloader.cab

[Yahoo! Photos Easy Upload Tool Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\YDropperUK.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab



Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\Program Files\Common Files\Stardock\mcpcore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll


End of report, 9,272 bytes
Report generated in 0.250 seconds

Holy Cow....

/me goes and gets this to see what starts up with his PC

Stumpy - Do you have Office 2000 installed?

Try going to these entries in regedit and see if there's something spooky going on:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Stumpy

See this page for jopa (one of your registry - run entries)

http://www.kephyr.com/spywarescanner/library/sysstartup.jopa/index.phtml


There's a couple of other things I need to check on.