Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

plagued by PUPS

plagued by PUPS

plagued by PUPS

I have had a plague of PUPS including Search.Conduit, KeyBar 1.19, Ask.com and Whitesmoke and I would not be surprised if there is something else there.

Here is the Hijack this analysis

Scan saved at 11:17:35 AM, on 2/20/2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

FIREFOX: 25.0.1 (en-US)
Boot mode: Normal

Running processes:
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton Internet Security\Engine\\NIS.exe
C:\Program Files\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Internet Security\Engine\\NIS.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\\IPS\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {739df940-c5ee-4bab-9d7e-270894ae687a} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\\coIEPlg.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SearchProtect] C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Con...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5C...
O18 - Protocol: intu-qt2009 - (no CLSID) - (no file)
O18 - Protocol: intu-tt2010 - (no CLSID) - (no file)
O18 - Protocol: intu-tt2011 - {B3B5DAD9-E96D-45B4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll
O18 - Protocol: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Norton Disk Doctor Service (DiskDoctorService) - Symantec Corporation - C:\Program Files\Symantec\Norton Utilities 16\Tools\Disk Doctor\DiskDoctorSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\\NIS.exe
O23 - Service: Norton Utilities 16 Start Manager Service (NU16StartManagerSvc) - Unknown owner - C:\Program Files\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Norton SpeedDisk Service (SpeedDiskService) - Symantec Corporation - C:\Program Files\Symantec\Norton Utilities 16\Tools\SpeedDisk\SpeedDiskSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

End of file - 6665 bytes

My personal feeling is that these PUPS have been dragged in through auto updates of Firefox, Adobe and Java where there is often no chance to view what has been installed..I have disabled these auto updates now.

The main symptom is loss of use of my "D"drive...on the last time I found Ask.com used on Internet Explorer and I think I got rid of that but after a day of good performance something else is a problem ....Is anything revealed in this printout....Norton anti-virus finds nothing wrong.

Jim Broadbent

RE: plagued by PUPS


.Norton anti-virus finds nothing wrong.

Nothing new there then.

Firefox do not bundle anything in their updates, unfortunately the same cannot be said of Norton, Adobe (with Flash updates), Yahoo! (with just about everything). But the prime candidate for loading crap, is the useless "Advanced Registry Optimizer".


Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: plagued by PUPS

I have to agree with ChrisHirst about Advanced Registry Optimizer. I remove it every time I find it on family and friends' PC's...

RE: plagued by PUPS

Well my problems began back in October when FireFox made a rollout....I am getting tired of these rollouts so I put a stop to new ones for a while.

Right now the system is working fine...When I open Control panel earlier I saw under Internet Options/general/search settings/Toolbars and extensions

I find several that I find suspicious...even though they are disabled

Research, Windows Messenger and Discuss

The reason I don't like these is there is no publisher and they are in the Not Available section and no easy way to remove them if I wanted too. In addition there is no file date or other info.

Now if they were legit I would have expected the first 2 to be published by Microsoft...the last I do not know.

Are these ok...or not? and how to remove them completely if they are not....

Where would I find "Advanced Registry Optimizer" and how do I remove it.

My computer runs fine for a while then like a Whack-a-Mole...another problem rises a day or two later {sigh}

Jim Broadbent

RE: plagued by PUPS


I agree it's a bit silly not to have a readily-identified publisher but...

Discuss has a class ID of {BDEADE7F-C265-11D0-BCED-00A0C90AB50F} and is the Microsoft Office "Web Discussions" Explorer Bar for IE.

Research has a class ID of {92780B25-18CC-41C8-B9BE-3C9C571A8263} and is also added by Microsoft Office.

Messenger is Microsoft's Windows Messenger. I have it switched off completely on my system so I can't look up the class ID.

All three are legitimate... but can be disabled. (I know I do! )smile

Hope this helps...

RE: plagued by PUPS

I will fix you up. Run the following in order (reboot if any ask you to BEFORE proceeding)
0. Run CCleaner to clean out temp files
1. Junk Removal Tool
2. Run Rogue Killer
3. Run MalwareByte's Anti-Malware. You need internet for it to update, so try regular mode then safe mode with networking. If it won't update, run it anyway and see what it can remove. Then reboot and try the update and run MBAM again if it updates.

Clean sources for programs:

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares."

RE: plagued by PUPS

Here is a diagnostic and removal narrative on Whitesmoke (in FF):


ASAP Member (VopThis) - Alliance of Security Analysis Professionals
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

RE: plagued by PUPS

Just run JRT first (and other items) to see if that sorts it out. VOP - please let me handle this. The OP only needs to go in one direction at a time.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares."

RE: plagued by PUPS

Thanks to goombawaho, vop, and allteltec for the list and other items. Hopefully I'll remember to check out a couple of those I hadn't looked into before. Well, hopefully I won't need them. The systemlookup.com site looked interesting in that you can just take the id for a file, and it'll tell you more about it. That could be very useful for diagnosing weird events on a machine.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close