Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Quote (") change on Regedit.exe "%1" on start

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Quote (") change on Regedit.exe "%1" on start

Unread postby Incoming » July 18th, 2005, 1:44 am

Hi.

My computer has been running fine since a little malware incident a few months back. This changed though as I briefly installed "Fruity Loops" (latest version) just to try it out for a bit. I uninstalled it again a short time thereafter and the next time I restarted my computer, Ad-Watch gave me the following message on Windows start:

- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Warning! 07:24:47

An attempt to alter a protected object has been detected.
(Attempt to change a registry value)

Root: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Classes\regfile\shell\open\command
Value:
Data: "regedit.exe" "%1"
New Data: regedit.exe "%1"
- - - - - - - - - - - - - - - - - - - - - - - - - - - -

Spybot S&D also alerted me on the same change.
It doesn't matter whether I chose to accept this change or deny it, the same "warning" still comes up after every single reboot.
I know it doesn't look like much of a "change", but still it's pretty annoying to be notified about every time windows starts.
I have a HJT log included last in this post.

I'm running Windows XP Pro (Swedish) with SP2
I currently have Ad-Aware (with Ad-Watch) running, as well as Spybot S&D and Norton Antivirus 2003 (all with updated definitions etc.)

Thanks for any help you might be able to give me !

/ Incoming


Logfile of HijackThis v1.99.1
Scan saved at 07:32:09, on 2005-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Temp\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [AWMON] "C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v ... 6272476483
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec

Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
Incoming
Active Member
 
Posts: 9
Joined: June 7th, 2005, 7:17 am
Advertisement
Register to Remove

Unread postby Bertha » July 18th, 2005, 3:17 pm

Incoming,

Hello! and welcome to the MWR forums.

-Print this off so you can follow it

Be sure to look this solution over before you begin.

I dont see much in your HJT Log, lets remove whats there first then tackle the issue abvove

===============

We'll need to unload Spybot's Teatimer before we begin. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".

===============

We'll need to disable AdAware's AdWatch, since it might interfere with other program(s) we might be using to 'clean' off your system; you can re-enable it after we're done. To disable this feature, run Run AdAware SE, then:

1. Click "AdWatch".
2. Click "Tools and Preferences".

(Look at the bottom of the window you will see two options...)


3. Uncheck these options:

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically


Remember to re-enable this feature once your system is clean.

===============

If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.

===============


Run HiJackThis and click "Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab


Now, with all windows closed except HiJackThis, click "Fix checked".

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

===============

Post back a new log, and let me know how everything goes.

-
Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Nellie2 » August 12th, 2005, 6:45 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free, but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware