Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Multiple problems with virus & BHO help please...thankyo

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby agrarianmonk » July 23rd, 2006, 5:15 pm

this is odd...

can you clarify a bit? do you get the end program notification when you boot into safe mode? or when you go from normal mode-->safe mode.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove

Unread postby footsteps » July 24th, 2006, 11:14 am

Hi Teatimer (End Program) message appeared as I tried to restart computer into safe mode.

I've also scanned with Adaware and it found 18 critical objects, all WinAntivirusdPro2006. I thought I'd check with you before I deleted these.

Now going to see if I can get the GMER program to scan without freezing the pc.

dave
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby agrarianmonk » July 24th, 2006, 11:47 am

yes go ahead and delete them :)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby footsteps » July 24th, 2006, 1:33 pm

Hi, I've deleted the files found by Adaware. Done a scandisk.
In safe mode I still cannot get the taskbar to work and if I try to use the Windows key or ctrl+esc nothing happens. Can only get out of safe mode by turning pc off.

GMER ...not responding after 20 minutes (how long should it run?)

WinAntivirusPro icon still in control panel.

WindowsDefender(Beta) says new updated version available...tried to download it and netscap appeared. I have not set anything to use Netscape to access the net.

dave :)
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby footsteps » July 24th, 2006, 1:42 pm

Just deleted WinDefender and tried to install latest version, Spybots s&d is stopping the validation program, I've ticked allow changes and it still wont let me download it :(
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby agrarianmonk » July 24th, 2006, 1:51 pm

hmm...

try this scan:

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
      Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby footsteps » July 24th, 2006, 2:05 pm

here's the scan:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Acme.PCHButton" = "C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe" ["Motive Communications, Inc."]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"HPHUPD06" = "c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" ["Hewlett-Packard"]
"HPHmon06" = "C:\WINDOWS\system32\hphmon06.exe" ["Hewlett-Packard"]
"Home Theater SchSvr" = ""C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"" ["InterVideo Inc."]
"WINREMOTE" = ""C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"" ["InterVideo Inc."]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"LSBWatcher" = "c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" ["Hewlett-Packard Company"]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Labtec Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Labtec Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Labtec Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"KBD" = "C:\HP\KBD\KBD.EXE" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Labtec Pictures"
-> {HKLM...CLSID} = "My Labtec Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Labtec Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a-squared Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\kaylee\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\DADSAR~1.SCR" (Dads Army.scr) ["MacSourcery"]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\I386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\TOOLS\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Startup items in "kaylee" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\kaylee\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
INFECTION WARNING! "palstart.exe" [null data]
"PHRS - WP Link" -> shortcut to: "C:\Program Files\PHRS\LibMan.exe PHRS" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "HP view"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "HP view"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "HP view"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "HP view"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.wanadoo.co.uk

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
iPodService, iPodService, "C:\Program Files\iPod\iPod Updater 2005-09-23\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 84 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 21 seconds.
---------- (total run time: 158 seconds)

can I just say thanks for sticking with me through this....I thought it was going to be simple
:)
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby agrarianmonk » July 24th, 2006, 2:11 pm

Hi is the WinAntivirus Folder still on your computer (either in C:\Program Files\ or in your recycle bin?)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby footsteps » July 24th, 2006, 2:16 pm

Its not in wastebin or program files (I think I've looked in program files there before and it wasnt in there).

There is still an icon for it in control panel
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby agrarianmonk » July 24th, 2006, 2:17 pm

ok, i think we're going to have to do this the hard way. sit tight; i'll be back as soon I can construct a fix ;)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » July 24th, 2006, 2:25 pm

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
WinAntiVirus

[Exclude]
(none)

[Options]
Filter=KVDLUI


2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby footsteps » July 24th, 2006, 2:43 pm

I've copied regsearch.zip to the desktop, when I right click it I have the following options (Using winrar):
Open,Explore,Extract files,extract files here,scan with AVG etc
can I make a folder called regsearch on the desktop & unzip it in there?

I've done options.txt file
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby agrarianmonk » July 24th, 2006, 2:43 pm

yes you may do that :)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby footsteps » July 24th, 2006, 2:49 pm

I think I diod it correctly, here's the log:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24/07/2006 19:46:55 for strings:
; 'winantivirus'
; Strings excluded from search:
; '(none)'
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe:*:Enabled:updater.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe:*:Enabled:updater.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe:*:Enabled:updater.exe"

[HKEY_USERS\S-1-5-21-3368898889-3369890766-93709836-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com]

[HKEY_USERS\S-1-5-21-3368898889-3369890766-93709836-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\de]

[HKEY_USERS\S-1-5-21-3368898889-3369890766-93709836-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\download]

[HKEY_USERS\S-1-5-21-3368898889-3369890766-93709836-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\www]

[HKEY_USERS\S-1-5-21-3368898889-3369890766-93709836-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\WinAntiVirus Pro 2006\\WinAV.exe"="WinAntiVirus Pro 2006"
"C:\\Program Files\\WinAntiVirus Pro 2006\\VAExt.exe"="WinAntiVirus Pro 2006"

; End Of The Log...
footsteps
Regular Member
 
Posts: 31
Joined: May 16th, 2006, 2:04 pm
Location: Midlands

Unread postby agrarianmonk » July 25th, 2006, 12:28 am

I just wanted to let you know I haven't forgotten about you. I'm getting my plan checked by another expert to make sure its the correct one.

thanks for your patience ;)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware