Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirected Google web searches + Random Pop Ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 26th, 2009, 11:22 am

Please do not do any updates as this will affects the fixes we are making.


Can you please run this command trough run box.


Code: Select all
regsvr32 wbemprox.dll


==================================================================


For the heck of it, let's try the cacls command from the C: drive one more time with a little different method.
While signed in as Tenmeg, copy the contents of the code box to notepad. Save the file in the C: drive and name it lastperms.bat

So now you'll have C:\lastperms.bat

Code: Select all
cacls %Systemdrive% > newperms.txt && start notepad newperms.txt




Double click on lastperms.bat to run it.

When finished it will open a file named newperms.txt

Post the contents of C:\newperms.txt please. We'll see if this command works to get the changed permissions.


==================================================================

Create a new folder on your desktop.
Copy the contents of the code box to notepad. Save the file as look.bat and save it in the new folder you just created.

Code: Select all
swreg acl HKCR\CLSID > rights.txt 
(
swreg acl  HKCR\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
swreg acl  HKCR\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
swreg acl  HKLM\Software\Microsoft\WBEM\CIMOM
) >>rights.txt

Start notepad rights.txt



Run look.bat
When finished it will open a text file named rights.txt

Post the contents of rights.txt into your next reply here.
If you have to find rights.txt later, it will be in that new folder you created on your desktop for look.bat



Antivirus

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:


It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 26th, 2009, 8:48 pm

Hello - see reports below as requested - added virus software AVG - thanks for the virus info

===================================================================
DLLRegister Server in wbemprox.dll succeeeded
===================================================================
LASTPERMS.BAT
===================================================================
C:\ BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(IO)(special access:)

FILE_WRITE_DATA

Everyone:R
===================================================================
LOOK.BAT RESULTS
*******************************************************************************
Registrykey: HKEY_CLASSES_ROOT\CLSID

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
2WIRE200\TENMEG
Allowed Full Control This Key Only (Inherited)
2WIRE200\TENMEG
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
2WIRE200\Administrators
Allowed Full Control This Key Only (Inherited)
2WIRE200\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\RESTRICTED
Allowed Read This Key Only (Inherited)
NT AUTHORITY\RESTRICTED
Allowed Special (Unknown) Subkeys only (Inherited)
2WIRE200\Users
Allowed Full Control This Key and Subkeys (Inherited)
Perms

No Auditing set

Owner: TENMEG (2WIRE200\TENMEG)
*******************************************************************************
Registrykey: HKEY_CLASSES_ROOT\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
2WIRE200\Users
Allowed Read This Key Only (Inherited)
2WIRE200\Users
Allowed Special (Unknown) Subkeys only (Inherited)
2WIRE200\Administrators
Allowed Full Control This Key Only (Inherited)
2WIRE200\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms

No Auditing set

Owner: Administrators (2WIRE200\Administrators)
*******************************************************************************
Registrykey: HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
2WIRE200\Users
Allowed Read This Key Only (Inherited)
2WIRE200\Users
Allowed Special (Unknown) Subkeys only (Inherited)
2WIRE200\Administrators
Allowed Full Control This Key Only (Inherited)
2WIRE200\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms

No Auditing set

Owner: Administrators (2WIRE200\Administrators)
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
2WIRE200\Users
Allowed Read This Key Only (Inherited)
2WIRE200\Users
Allowed Special (Unknown) Subkeys only (Inherited)
2WIRE200\Administrators
Allowed Full Control This Key Only (Inherited)
2WIRE200\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms

No Auditing set

Owner: Administrators (2WIRE200\Administrators)
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 28th, 2009, 5:39 am

It was like pulling teeth to get cacls to report the drive permissions correctly, but it finally is using that method. They were there, but cacls was being difficult. I know because the same thing happened to me. And things which had not previously worked due to the lack of permissions, like Windows update did.

Let's move on to the problems with WMI caused by the Upgrade to Service Pack 3.


The fix is from Microsoft, but I have automated it for you.

This is going to add Authenticated users with full permissions to several registry keys related to your errors. And it iwll also add the Network Service Account to the administrators group.


****** Warning to anyone reading this! If you do not run an English Language Windows version, this fix will fail. The Administrators group goes by a different name on each different Language version of Windows. So without the correct name for that group, the Network Service account will not be added.

Usually we can use WMI to get the name automatically and use that in the batch , but since we are repairing WMI, we can't do it that way. *********


It is important that you perform these steps in the exact order given.

Copy the contents of the code box to Notepad. Name the file as FixWmiperms.bat

Save FixWmiperms.bat anywhere you like. But make it a convenient location, so you can delete it later. Run FixWmiperms.bat

When it has finished it will open a text file named
changerights.txt (changerights.txt will be located in the same folder where you put FixWmiperms.bat.)
Post the contents of changerights.txt and then reboot to be absolutely sure the changes take effect.
Code: Select all
echo %TIME% %DATE%  %Username% >changerights.txt
(
  Echo Adding Network Service to  Administrators group
 net localgroup administrators /add "Network Service"

swreg acl  HKCR\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} /E /G "Authenticated Users":F
Echo.
swreg acl  HKCR\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /E /G "Authenticated Users":F
Echo.
swreg acl  HKLM\Software\Microsoft\WBEM\CIMOM /E /G "Authenticated Users":F
Echo.
) >>changerights.txt  2>&1

Start notepad changerights.txt 



After the reboot, run WmiDiag.vbs again and post those results, following the directions as given previously to run it.

We'll see how that works out. The upgrade to SP3 may have fixed some of the issues you had when you ran SP2, but it created issues of its own. And those issues prevent things from running because of new permissions issues in SP3. That's why you had such a wonky report the last time you ran it.

---------------

Finally, as a quick test, can you see what happens when you run msinfo32 please? If it's able to gather information now, that means that at least a good chunk of WMI is now able to run. Let me know how that goes when you post your new WMIdiag report.

I may ask you for some logs created in the WBEM\logs folder later if this doesn't work. They will point out problems with WMI and give us clues. But that's for later if a problem still exists.

Good luck.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » October 1st, 2009, 4:15 am

Hello - Ok - see results as requested . . .

==============================================================
Ran msinfo32 and it produced a pop-up with Sys Info
==============================================================
changerights.txt results. . .
==============================================================

0:40:48.37 Thu 10/01/2009 TENMEG
Adding Network Service to Administrators group
The command completed successfully.

Registrykey: "HKEY_CLASSES_ROOT\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}"
Granting Registry rights (F access for This Key) for "Authenticated Users"

Registrykey: "HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}"
Granting Registry rights (F access for This Key) for "Authenticated Users"

Registrykey: "HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM"
Granting Registry rights (F access for This Key) for "Authenticated Users"

==============================================================
WmiDiag.vbs results. . .
====================================================

16738 01:00:37 (0) ** WMIDiag v2.0 started on Thursday, October 01, 2009 at 00:58.
16739 01:00:37 (0) **
16740 01:00:37 (0) ** Copyright (c) Microsoft Corporation. All rights reserved - January 2007.
16741 01:00:37 (0) **
16742 01:00:37 (0) ** This script is not supported under any Microsoft standard support program or service.
16743 01:00:37 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
16744 01:00:37 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
16745 01:00:37 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
16746 01:00:37 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
16747 01:00:37 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
16748 01:00:37 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
16749 01:00:37 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
16750 01:00:37 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
16751 01:00:37 (0) ** of the possibility of such damages.
16752 01:00:37 (0) **
16753 01:00:37 (0) **
16754 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16755 01:00:37 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
16756 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16757 01:00:37 (0) **
16758 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16759 01:00:37 (0) ** Windows XP - No service pack - 32-bit (2600) - User '2WIRE200\TENMEG' on computer '2WIRE200'.
16760 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16761 01:00:37 (0) ** INFO: Environment: .................................................................................................. 1 ITEM(S)!
16762 01:00:37 (0) ** INFO: => 2 incorrect shutdown(s) detected on:
16763 01:00:37 (0) ** - Shutdown on 05 September 2009 23:30:19 (GMT+7).
16764 01:00:37 (0) ** - Shutdown on 06 September 2009 22:54:34 (GMT+7).
16765 01:00:37 (0) **
16766 01:00:37 (0) ** System drive: ....................................................................................................... C: (Disk #0 Partition #0).
16767 01:00:37 (0) ** Drive type: ......................................................................................................... IDE (TOSHIBA MK8032GAX).
16768 01:00:37 (0) ** There are no missing WMI system files: .............................................................................. OK.
16769 01:00:37 (0) ** There are no missing WMI repository files: .......................................................................... OK.
16770 01:00:37 (0) ** WMI repository state: ............................................................................................... N/A.
16771 01:00:37 (0) ** BEFORE running WMIDiag:
16772 01:00:37 (0) ** The WMI repository has a size of: ................................................................................... 7 MB.
16773 01:00:37 (0) ** - Disk free space on 'C:': .......................................................................................... 55261 MB.
16774 01:00:37 (0) ** - INDEX.BTR, 1302528 bytes, 10/1/2009 12:49:13 AM
16775 01:00:37 (0) ** - INDEX.MAP, 668 bytes, 10/1/2009 12:49:14 AM
16776 01:00:37 (0) ** - OBJECTS.DATA, 5971968 bytes, 10/1/2009 12:49:12 AM
16777 01:00:37 (0) ** - OBJECTS.MAP, 2964 bytes, 10/1/2009 12:49:14 AM
16778 01:00:37 (0) ** AFTER running WMIDiag:
16779 01:00:37 (0) ** The WMI repository has a size of: ................................................................................... 7 MB.
16780 01:00:37 (0) ** - Disk free space on 'C:': .......................................................................................... 55261 MB.
16781 01:00:37 (0) ** - INDEX.BTR, 1302528 bytes, 10/1/2009 12:49:13 AM
16782 01:00:37 (0) ** - INDEX.MAP, 668 bytes, 10/1/2009 12:49:14 AM
16783 01:00:37 (0) ** - OBJECTS.DATA, 5971968 bytes, 10/1/2009 12:49:12 AM
16784 01:00:37 (0) ** - OBJECTS.MAP, 2964 bytes, 10/1/2009 12:49:14 AM
16785 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16786 01:00:37 (0) ** Windows Firewall: ................................................................................................... NOT INSTALLED.
16787 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16788 01:00:37 (0) ** DCOM Status: ........................................................................................................ OK.
16789 01:00:37 (0) ** WMI registry setup: ................................................................................................. OK.
16790 01:00:37 (0) ** WMI Service has no dependents: ...................................................................................... OK.
16791 01:00:37 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
16792 01:00:37 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
16793 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16794 01:00:37 (0) ** WMI service DCOM setup: ............................................................................................. OK.
16795 01:00:37 (2) !! WARNING: WMI DCOM components registration is missing for the following EXE/DLLs: .................................... 6 WARNING(S)!
16796 01:00:37 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{7A0227F6-7108-11D1-AD90-00C04FD8FDFF}\InProcServer32)
16797 01:00:37 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{D71EE747-F455-4804-9DF6-2ED81025F2C1}\InProcServer32)
16798 01:00:37 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{ED51D12E-511F-4999-8DCD-C2BAC91BE86E}\InProcServer32)
16799 01:00:37 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{4C6055D8-84B9-4111-A7D3-6623894EEDB3}\InProcServer32)
16800 01:00:37 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{A1044801-8F7E-11D1-9E7C-00C04FC324A8}\InProcServer32)
16801 01:00:37 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{F7CE2E13-8C90-11D1-9E7B-00C04FC324A8}\InProcServer32)
16802 01:00:37 (0) ** => WMI System components are not properly registered as COM objects, which could make WMI to
16803 01:00:37 (0) ** fail depending on the operation requested.
16804 01:00:37 (0) ** => For a .DLL, you can correct the DCOM configuration by executing the 'REGSVR32.EXE <Filename.DLL>' command.
16805 01:00:37 (0) **
16806 01:00:37 (0) ** WMI ProgID registrations: ........................................................................................... OK.
16807 01:00:37 (0) ** WMI provider DCOM registrations: .................................................................................... OK.
16808 01:00:37 (0) ** WMI provider CIM registrations: ..................................................................................... OK.
16809 01:00:37 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
16810 01:00:37 (0) ** WMI providers EXE/DLL availability: ................................................................................. OK.
16811 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16812 01:00:37 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
16813 01:00:37 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
16814 01:00:37 (0) ** - REMOVED ACE:
16815 01:00:37 (0) ** ACEType: &h0
16816 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16817 01:00:37 (0) ** ACEFlags: &h0
16818 01:00:37 (0) ** ACEMask: &h1
16819 01:00:37 (0) ** DCOM_RIGHT_EXECUTE
16820 01:00:37 (0) **
16821 01:00:37 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
16822 01:00:37 (0) ** Removing default security will cause some operations to fail!
16823 01:00:37 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
16824 01:00:37 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
16825 01:00:37 (0) **
16826 01:00:37 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
16827 01:00:37 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has been REMOVED!
16828 01:00:37 (0) ** - REMOVED ACE:
16829 01:00:37 (0) ** ACEType: &h0
16830 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16831 01:00:37 (0) ** ACEFlags: &h0
16832 01:00:37 (0) ** ACEMask: &h1
16833 01:00:37 (0) ** DCOM_RIGHT_EXECUTE
16834 01:00:37 (0) **
16835 01:00:37 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
16836 01:00:37 (0) ** Removing default security will cause some operations to fail!
16837 01:00:37 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
16838 01:00:37 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
16839 01:00:37 (0) **
16840 01:00:37 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
16841 01:00:37 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been REMOVED!
16842 01:00:37 (0) ** - REMOVED ACE:
16843 01:00:37 (0) ** ACEType: &h0
16844 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16845 01:00:37 (0) ** ACEFlags: &h0
16846 01:00:37 (0) ** ACEMask: &h1
16847 01:00:37 (0) ** DCOM_RIGHT_EXECUTE
16848 01:00:37 (0) **
16849 01:00:37 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
16850 01:00:37 (0) ** Removing default security will cause some operations to fail!
16851 01:00:37 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
16852 01:00:37 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
16853 01:00:37 (0) **
16854 01:00:37 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
16855 01:00:37 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
16856 01:00:37 (0) ** - ACTUAL ACE:
16857 01:00:37 (0) ** ACEType: &h0
16858 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16859 01:00:37 (0) ** ACEFlags: &h2
16860 01:00:37 (0) ** CONTAINER_INHERIT_ACE
16861 01:00:37 (0) ** ACEMask: &h1
16862 01:00:37 (0) ** WBEM_ENABLE
16863 01:00:37 (0) ** - EXPECTED ACE:
16864 01:00:37 (0) ** ACEType: &h0
16865 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16866 01:00:37 (0) ** ACEFlags: &h12
16867 01:00:37 (0) ** CONTAINER_INHERIT_ACE
16868 01:00:37 (0) ** INHERITED_ACE
16869 01:00:37 (0) ** ACEMask: &h13
16870 01:00:37 (0) ** WBEM_ENABLE
16871 01:00:37 (0) ** WBEM_METHOD_EXECUTE
16872 01:00:37 (0) ** WBEM_WRITE_PROVIDER
16873 01:00:37 (0) **
16874 01:00:37 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
16875 01:00:37 (0) ** This will cause some operations to fail!
16876 01:00:37 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
16877 01:00:37 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
16878 01:00:37 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
16879 01:00:37 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
16880 01:00:37 (0) ** A specific WMI application can always require a security setup different
16881 01:00:37 (0) ** than the WMI security defaults.
16882 01:00:37 (0) **
16883 01:00:37 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
16884 01:00:37 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
16885 01:00:37 (0) ** - ACTUAL ACE:
16886 01:00:37 (0) ** ACEType: &h0
16887 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16888 01:00:37 (0) ** ACEFlags: &h2
16889 01:00:37 (0) ** CONTAINER_INHERIT_ACE
16890 01:00:37 (0) ** ACEMask: &h1
16891 01:00:37 (0) ** WBEM_ENABLE
16892 01:00:37 (0) ** - EXPECTED ACE:
16893 01:00:37 (0) ** ACEType: &h0
16894 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16895 01:00:37 (0) ** ACEFlags: &h12
16896 01:00:37 (0) ** CONTAINER_INHERIT_ACE
16897 01:00:37 (0) ** INHERITED_ACE
16898 01:00:37 (0) ** ACEMask: &h13
16899 01:00:37 (0) ** WBEM_ENABLE
16900 01:00:37 (0) ** WBEM_METHOD_EXECUTE
16901 01:00:37 (0) ** WBEM_WRITE_PROVIDER
16902 01:00:37 (0) **
16903 01:00:37 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
16904 01:00:37 (0) ** This will cause some operations to fail!
16905 01:00:37 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
16906 01:00:37 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
16907 01:00:37 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
16908 01:00:37 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
16909 01:00:37 (0) ** A specific WMI application can always require a security setup different
16910 01:00:37 (0) ** than the WMI security defaults.
16911 01:00:37 (0) **
16912 01:00:37 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
16913 01:00:37 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
16914 01:00:37 (0) ** - REMOVED ACE:
16915 01:00:37 (0) ** ACEType: &h0
16916 01:00:37 (0) ** ACCESS_ALLOWED_ACE_TYPE
16917 01:00:37 (0) ** ACEFlags: &h12
16918 01:00:37 (0) ** CONTAINER_INHERIT_ACE
16919 01:00:37 (0) ** INHERITED_ACE
16920 01:00:37 (0) ** ACEMask: &h13
16921 01:00:37 (0) ** WBEM_ENABLE
16922 01:00:37 (0) ** WBEM_METHOD_EXECUTE
16923 01:00:37 (0) ** WBEM_WRITE_PROVIDER
16924 01:00:37 (0) **
16925 01:00:37 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
16926 01:00:37 (0) ** Removing default security will cause some operations to fail!
16927 01:00:37 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
16928 01:00:37 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
16929 01:00:37 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
16930 01:00:37 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
16931 01:00:37 (0) ** A specific WMI application can always require a security setup different
16932 01:00:37 (0) ** than the WMI security defaults.
16933 01:00:37 (0) **
16934 01:00:37 (0) **
16935 01:00:37 (0) ** DCOM security warning(s) detected: .................................................................................. 0.
16936 01:00:37 (0) ** DCOM security error(s) detected: .................................................................................... 3.
16937 01:00:37 (0) ** WMI security warning(s) detected: ................................................................................... 0.
16938 01:00:37 (0) ** WMI security error(s) detected: ..................................................................................... 3.
16939 01:00:37 (0) **
16940 01:00:37 (1) !! ERROR: Overall DCOM security status: ................................................................................ ERROR!
16941 01:00:37 (1) !! ERROR: Overall WMI security status: ................................................................................. ERROR!
16942 01:00:37 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
16943 01:00:37 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ................................................................................ 3.
16944 01:00:37 (0) ** - ROOT/DEFAULT, MSFT_UCScenarioControl.Name="Microsoft WMI Updating Consumer Scenario Control".
16945 01:00:37 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'MSFT_UCScenario''
16946 01:00:37 (0) ** - ROOT/SUBSCRIPTION, MSFT_UCScenarioControl.Name="Microsoft WMI Updating Consumer Scenario Control".
16947 01:00:37 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'MSFT_UCScenario''
16948 01:00:37 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM Event Log Consumer".
16949 01:00:37 (0) ** 'select * from MSFT_SCMEventLogEvent'
16950 01:00:37 (0) **
16951 01:00:37 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
16952 01:00:37 (0) ** INFO: WMI ADAP status: .............................................................................................. 2.
16953 01:00:37 (0) ** => The WMI ADAP process is processing a performance library (2).
16954 01:00:37 (0) ** Some WMI performance classes could be missing at the time WMIDiag was executed.
16955 01:00:37 (0) ** INFO: WMI namespace(s) requiring PACKET PRIVACY: .................................................................... 1 NAMESPACE(S)!
16956 01:00:37 (0) ** - ROOT/SERVICEMODEL.
16957 01:00:37 (0) ** => When remotely connecting, the namespace(s) listed require(s) the WMI client to
16958 01:00:37 (0) ** use an encrypted connection by specifying the PACKET PRIVACY authentication level.
16959 01:00:37 (0) ** (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or PktPrivacy flags)
16960 01:00:37 (0) ** i.e. 'WMIC.EXE /NODE:"2WIRE200" /AUTHLEVEL:Pktprivacy /NAMESPACE:\\ROOT\SERVICEMODEL Class __SystemSecurity'
16961 01:00:37 (0) **
16962 01:00:37 (0) ** WMI MONIKER CONNECTIONS: ............................................................................................ OK.
16963 01:00:37 (0) ** WMI CONNECTIONS: .................................................................................................... OK.
16964 01:00:37 (0) ** WMI GET operations: ................................................................................................. OK.
16965 01:00:37 (0) ** WMI MOF representations: ............................................................................................ OK.
16966 01:00:37 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
16967 01:00:37 (2) !! WARNING: WMI ENUMERATION operation errors reported: ................................................................. 1 WARNING(S)!
16968 01:00:37 (0) ** - Root/Default, InstancesOf, 'SystemRestore' did not return any instance while AT LEAST 1 instance is expected.
16969 01:00:37 (0) ** MOF Registration: 'C:\WINDOWS\SYSTEM32\WBEM\SR.MOF'
16970 01:00:37 (0) **
16971 01:00:37 (2) !! WARNING: WMI EXECQUERY operation errors reported: ................................................................... 1 WARNING(S)!
16972 01:00:37 (0) ** - Root/Default, 'Select * From SystemRestore' did not return any instance while AT LEAST 1 instance is expected.
16973 01:00:37 (0) **
16974 01:00:37 (0) ** WMI GET VALUE operations: ........................................................................................... OK.
16975 01:00:37 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
16976 01:00:37 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
16977 01:00:37 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
16978 01:00:37 (0) ** WMI static instances retrieved: ..................................................................................... 649.
16979 01:00:37 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
16980 01:00:37 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 0.
16981 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16982 01:00:37 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20 day(s):
16983 01:00:37 (0) ** DCOM: ............................................................................................................. 34.
16984 01:00:37 (0) ** WINMGMT: .......................................................................................................... 1.
16985 01:00:37 (0) ** WMIADAPTER: ....................................................................................................... 0.
16986 01:00:37 (0) ** => Verify the WMIDiag LOG at line #16154 for more details.
16987 01:00:37 (0) **
16988 01:00:37 (0) ** # of additional Event Log events AFTER WMIDiag execution:
16989 01:00:37 (0) ** DCOM: ............................................................................................................. 0.
16990 01:00:37 (0) ** WINMGMT: .......................................................................................................... 0.
16991 01:00:37 (0) ** WMIADAPTER: ....................................................................................................... 0.
16992 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16993 01:00:37 (0) ** WMI Registry key setup: ............................................................................................. OK.
16994 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16995 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16996 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16997 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16998 01:00:37 (0) **
16999 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
17000 01:00:37 (0) ** ------------------------------------------------------ WMI REPORT: END -----------------------------------------------------------
17001 01:00:37 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
17002 01:00:37 (0) **
17003 01:00:37 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\TENMEG\LOCAL SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_2WIRE200_2009.10.01_00.57.58.LOG' for details.
17004 01:00:37 (0) **
17005 01:00:37 (0) ** WMIDiag v2.0 ended on Thursday, October 01, 2009 at 01:00 (W:79 E:23 S:1).

==========================================================================
Ran msinfo32 and it produced a pop-up with Sys Info
==============================================================
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » October 1st, 2009, 4:11 pm

When you ran msinfo32 and the System Information window came up, what did the right pane look like? Did it contain a message that it couldn't collect information? It is important that we have this information because msinfo32 uses WMI to collect the information it gives us. I want to get a handle on the situation.

Please copy the contents of the code box to notepad. Save the file as Lookatwmi.bat
Run lookatwmi.bat
When it has finished, it will open a file named checks.txt.
Please copy and paste the contents of that file into your next reply. checks.txt will be found in the same folder as lookatwmi.bat

You'll also find a file there named appidreg.txt

Please go to Spykiller and upload that file. You have gone to Spykiller before to upload event logs. Pleas do not post the contents of appidreg.txt
The forums software will mangle it and I need to see that file for myself correctly formatted.

Code: Select all

Dir /s /a %systemdrive%\sr.mo*  >checks.txt
Echo Regsvr errors codes: >>checks.txt
Echo.>>checks.txt

Echo #3 = File not found. >> checks.txt
Echo #4 = Entry point not found. The file cannot be registered. >>checks.txt
Echo #5 = Unsuccessful!  Report to Forum's helper. >>checks.txt

Echo If error Unsuccessful or not identified here, run Regsvr32 without the /s switch and get exact error. >>checks.txt 

Echo.>>checks.txt

Echo Log of Regsvr32 activity:>>checks.txt
Echo.>>checks.txt

regsvr32.exe  %windir%\SYSTEM32\WBEM\FASTPROX.DLL /s  && echo  %windir%\SYSTEM32\WBEM\FASTPROX.DLL  was successfully registered >> checks.txt 
If not %errorlevel%==0 Echo Error #%errorlevel% in  %windir%\SYSTEM32\WBEM\FASTPROX.DLL. The file was not registered. >>checks.txt

regsvr32.exe  %windir%\SYSTEM32\WBEM\WBEMPROX.DLL /s  && echo  %windir%\SYSTEM32\WBEM\WBEMPROX.DLL  was successfully registered >> checks.txt 
If not %errorlevel%==0 Echo Error #%errorlevel% in  %windir%\SYSTEM32\WBEM\WBEMPROX.DLL. The file was not registered. >>checks.txt


Regedit /e /a appidreg.txt HKEY_CLASSES_ROOT\AppID
Swreg query HKEY_CLASSES_ROOT\AppID  >>checks.txt

Start notepad checks.txt


User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » October 2nd, 2009, 3:46 pm

Hello - see today’s results below - went to SpyKiller and uploaded appidrg.txt - I’m not sure if I did the upload right as the directions are a little vague - let me know if you received/viewed the file appidreg.txt?

==========================================================
Ran msinfo32 - popup information. . .
==========================================================

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name 2WIRE200
System Manufacturer Hewlett-Packard
System Model Pavilion dv8000 (EP404UA#ABA)
System Type X86-based PC
Processor x86 Family 15 Model 36 Stepping 2 AuthenticAMD ~1794 Mhz
BIOS Version/Date Hewlett-Packard F.24, 12/2/2005
SMBIOS Version 2.31
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.2562 (xpsp.040919-1030)"
User Name 2WIRE200\TENMEG
Time Zone Pacific Daylight Time
Total Physical Memory 512.00 MB
Available Physical Memory 82.14 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.21 GB
Page File C:\pagefile.sys

=========================================================
Ran Code - Checks.txt information. . .
=========================================================

Volume in drive C has no label.
Volume Serial Number is 5E04-0064

Directory of C:\I386

08/04/2004 06:00 AM 1,355 SR.MO_
1 File(s) 1,355 bytes

Directory of C:\WINDOWS\system32\wbem

08/04/2004 01:00 AM 3,799 sr.mof
1 File(s) 3,799 bytes

Total Files Listed:
2 File(s) 5,154 bytes
0 Dir(s) 57,918,971,904 bytes free
Regsvr errors codes:

#3 = File not found.
#4 = Entry point not found. The file cannot be registered.
#5 = Unsuccessful! Report to Forum's helper.
If error Unsuccessful or not identified here, run Regsvr32 without the /s switch and get exact error.

Log of Regsvr32 activity:

C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL was successfully registered
C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL was successfully registered

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_CLASSES_ROOT\appid

HKEY_CLASSES_ROOT\appid\AcroPDF.DLL

HKEY_CLASSES_ROOT\appid\AS2GuiIE.DLL

HKEY_CLASSES_ROOT\appid\AS2StubIE.DLL

HKEY_CLASSES_ROOT\appid\AudioModule.DLL

HKEY_CLASSES_ROOT\appid\AudioPlayer.DLL

HKEY_CLASSES_ROOT\appid\BITS

HKEY_CLASSES_ROOT\appid\conf.exe

HKEY_CLASSES_ROOT\appid\CopyNow.DLL

HKEY_CLASSES_ROOT\appid\crd.EXE

HKEY_CLASSES_ROOT\appid\DataPlugin.DLL

HKEY_CLASSES_ROOT\appid\DataStore.EXE

HKEY_CLASSES_ROOT\appid\dmadmin.exe

HKEY_CLASSES_ROOT\appid\dmremote.exe

HKEY_CLASSES_ROOT\appid\ExportController.exe

HKEY_CLASSES_ROOT\appid\fastsearch.DLL

HKEY_CLASSES_ROOT\appid\GdiCache.exe

HKEY_CLASSES_ROOT\appid\GetRecordedShows.DLL

HKEY_CLASSES_ROOT\appid\GoogleUpdaterService.exe

HKEY_CLASSES_ROOT\appid\HelpCtr.EXE

HKEY_CLASSES_ROOT\appid\HelpSvc.EXE

HKEY_CLASSES_ROOT\appid\HomePlugin.DLL

HKEY_CLASSES_ROOT\appid\HPBasicDetection3.DLL

HKEY_CLASSES_ROOT\appid\HPDEXAXO.DLL

HKEY_CLASSES_ROOT\appid\HPeDiag.DLL

HKEY_CLASSES_ROOT\appid\HPeSupport.DLL

HKEY_CLASSES_ROOT\appid\hpqwmi.EXE

HKEY_CLASSES_ROOT\appid\hpqwmiex.EXE

HKEY_CLASSES_ROOT\appid\HPScripting.DLL

HKEY_CLASSES_ROOT\appid\HpuFunction.DLL

HKEY_CLASSES_ROOT\appid\IDriver.EXE

HKEY_CLASSES_ROOT\appid\IDriver2.exe

HKEY_CLASSES_ROOT\appid\IDriverT.EXE

HKEY_CLASSES_ROOT\appid\IESiteBlocker.DLL

HKEY_CLASSES_ROOT\appid\IMAPI.EXE

HKEY_CLASSES_ROOT\appid\InternetUtil.DLL

HKEY_CLASSES_ROOT\appid\IpodService.EXE

HKEY_CLASSES_ROOT\appid\ISDownloadManager.EXE

HKEY_CLASSES_ROOT\appid\iTunes.exe

HKEY_CLASSES_ROOT\appid\iTunesAddIn.dll

HKEY_CLASSES_ROOT\appid\iTunesAdmin.dll

HKEY_CLASSES_ROOT\appid\iTunesPhotoProcessor.EXE

HKEY_CLASSES_ROOT\appid\LaunchMuvee.DLL

HKEY_CLASSES_ROOT\appid\LaunchMyDVD.DLL

HKEY_CLASSES_ROOT\appid\LegitCheckControl.DLL

HKEY_CLASSES_ROOT\appid\logagent.EXE

HKEY_CLASSES_ROOT\appid\LSCAPI.DLL

HKEY_CLASSES_ROOT\appid\moviemk.exe

HKEY_CLASSES_ROOT\appid\MSNIASVC.EXE

HKEY_CLASSES_ROOT\appid\MsnInst.DLL

HKEY_CLASSES_ROOT\appid\MyDVD.EXE

HKEY_CLASSES_ROOT\appid\PDFPrevHndlr.DLL

HKEY_CLASSES_ROOT\appid\PDFPrevHndlrShim.EXE

HKEY_CLASSES_ROOT\appid\PenIMC2

HKEY_CLASSES_ROOT\appid\PrintFilterPipelineSvc.Exe

HKEY_CLASSES_ROOT\appid\ProtectorExe.EXE

HKEY_CLASSES_ROOT\appid\protector_dll.DLL

HKEY_CLASSES_ROOT\appid\ptswia.EXE

HKEY_CLASSES_ROOT\appid\PxWrap.DLL

HKEY_CLASSES_ROOT\appid\QTUIPanelControl.DLL

HKEY_CLASSES_ROOT\appid\QuickTimePlayer.exe

HKEY_CLASSES_ROOT\appid\RDSHost.EXE

HKEY_CLASSES_ROOT\appid\real2mp3.DLL

HKEY_CLASSES_ROOT\appid\realsched.exe

HKEY_CLASSES_ROOT\appid\RNControllerTWC.DLL

HKEY_CLASSES_ROOT\appid\rsmsink.exe

HKEY_CLASSES_ROOT\appid\rsmui.exe

HKEY_CLASSES_ROOT\appid\RstrUI.EXE

HKEY_CLASSES_ROOT\appid\RulesEngine.DLL

HKEY_CLASSES_ROOT\appid\ScapX.EXE

HKEY_CLASSES_ROOT\appid\SentinelVirtualEarth3D.DLL

HKEY_CLASSES_ROOT\appid\sessmgr.EXE

HKEY_CLASSES_ROOT\appid\SetPointCOMMM9.DLL

HKEY_CLASSES_ROOT\appid\SetPointCOMWMP9.DLL

HKEY_CLASSES_ROOT\appid\SoftwareUpdate.exe

HKEY_CLASSES_ROOT\appid\SoftwareUpdateAdmin.DLL

HKEY_CLASSES_ROOT\appid\SymControlChecker.DLL

HKEY_CLASSES_ROOT\appid\Symdlmgr.DLL

HKEY_CLASSES_ROOT\appid\upnpcont.exe

HKEY_CLASSES_ROOT\appid\UsbSniffPlugin.DLL

HKEY_CLASSES_ROOT\appid\VOE.EXE

HKEY_CLASSES_ROOT\appid\VSSVC.EXE

HKEY_CLASSES_ROOT\appid\wiaacmgr.EXE

HKEY_CLASSES_ROOT\appid\winmgmt

HKEY_CLASSES_ROOT\appid\WkPrjAPI.DLL

HKEY_CLASSES_ROOT\appid\wlscUploader.EXE

HKEY_CLASSES_ROOT\appid\wmplayer.exe

HKEY_CLASSES_ROOT\appid\WMPNSSCI.DLL

HKEY_CLASSES_ROOT\appid\WpdfViewer.EXE

HKEY_CLASSES_ROOT\appid\WPDSp.DLL

HKEY_CLASSES_ROOT\appid\wuapi.dll

HKEY_CLASSES_ROOT\appid\wuauserv

HKEY_CLASSES_ROOT\appid\XPLPP.DLL

HKEY_CLASSES_ROOT\appid\zClientm.EXE

HKEY_CLASSES_ROOT\appid\{00020C01-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\appid\{00022601-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\appid\{000C101C-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\appid\{0010890e-8789-413c-adbc-48f5b511b3af}

HKEY_CLASSES_ROOT\appid\{0018752E-7735-4B30-9DA9-4A01F024F270}

HKEY_CLASSES_ROOT\appid\{00343B0E-E59F-4355-B2B5-64A12615B858}

HKEY_CLASSES_ROOT\appid\{003E771E-DF5E-40C0-94A2-4109FF9AF445}

HKEY_CLASSES_ROOT\appid\{0057B183-85ED-4751-A3C7-0DA2939A8E98}

HKEY_CLASSES_ROOT\appid\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

HKEY_CLASSES_ROOT\appid\{01BA3B96-2FE0-4BE0-B965-83ED78E1BB4E}

HKEY_CLASSES_ROOT\appid\{02C4F32F-C02D-419B-8889-5CBF2FBD7F3D}

HKEY_CLASSES_ROOT\appid\{034e43c2-36fc-4bde-97c5-25e6fc4444b6}

HKEY_CLASSES_ROOT\appid\{038ABBA4-4138-4AC4-A492-4A3DF068BD8A}

HKEY_CLASSES_ROOT\appid\{0858A72C-164C-4056-8311-9DF3CA316007}

HKEY_CLASSES_ROOT\appid\{0A886F29-465A-4aea-8B8E-BE926BFAE83E}

HKEY_CLASSES_ROOT\appid\{12B34448-B1B9-48D7-A98B-142AAD6C651F}

HKEY_CLASSES_ROOT\appid\{16D99191-6280-4B33-A2F5-04805A0FC582}

HKEY_CLASSES_ROOT\appid\{176D187A-2A6A-403B-A30D-B914172D0F31}

HKEY_CLASSES_ROOT\appid\{1BB3D82F-9803-4d29-B232-1F2F14E52A2E}

HKEY_CLASSES_ROOT\appid\{1BE1F766-5536-11D1-B726-00C04FB926AF}

HKEY_CLASSES_ROOT\appid\{1F29CAC4-6174-44F7-9395-BC167397D7A8}

HKEY_CLASSES_ROOT\appid\{1F7D1BE9-7A50-40B6-A605-C4F3696F49C0}

HKEY_CLASSES_ROOT\appid\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}

HKEY_CLASSES_ROOT\appid\{1FF84C3B-1140-4EB6-BE38-4BE618D2E7D6}

HKEY_CLASSES_ROOT\appid\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

HKEY_CLASSES_ROOT\appid\{24D495A5-A174-4945-819D-CF294600C500}

HKEY_CLASSES_ROOT\appid\{250DD19F-6E7F-4BA3-9E1B-69E6CDC52F30}

HKEY_CLASSES_ROOT\appid\{26785DB3-A435-4FFD-9F37-F543AB851F55}

HKEY_CLASSES_ROOT\appid\{27AF75ED-20D9-11D1-B1CE-00805FC1270E}

HKEY_CLASSES_ROOT\appid\{2B75F4A7-38B8-4BCA-8BED-E44C5D4645CF}

HKEY_CLASSES_ROOT\appid\{2DE6426A-0708-415C-8C19-623CC4855F80}

HKEY_CLASSES_ROOT\appid\{3127F179-FE9E-4E8B-B009-4330342B89B7}

HKEY_CLASSES_ROOT\appid\{316EFE3C-2104-4C5E-B568-8343091CF2CA}

HKEY_CLASSES_ROOT\appid\{39ce474e-59c1-4b84-9be2-2600c335b5c6}

HKEY_CLASSES_ROOT\appid\{3AA2E692-0A50-496B-A91B-9F7AF63B3511}

HKEY_CLASSES_ROOT\appid\{40AEEAB6-8FDA-41e3-9A5F-8350D4CFCA91}

HKEY_CLASSES_ROOT\appid\{446CB210-FFE3-4B6B-83CC-FC10A67F3F55}

HKEY_CLASSES_ROOT\appid\{45D20723-7759-49E4-98D9-31C0B8CD13D1}

HKEY_CLASSES_ROOT\appid\{46298684-0fd3-47f3-94b3-65650c65b36a}

HKEY_CLASSES_ROOT\appid\{49BD2028-1523-11D1-AD79-00C04FD8FDFF}

HKEY_CLASSES_ROOT\appid\{4A0F9AA8-A71E-4CC3-891B-76CAC67E67C0}

HKEY_CLASSES_ROOT\appid\{4A8692DE-F2FE-405B-B438-487960BB24C0}

HKEY_CLASSES_ROOT\appid\{4E14FBA2-2E22-11D1-9964-00C04FBBB345}

HKEY_CLASSES_ROOT\appid\{4E5C175A-7DB9-11D3-B9E5-00C04F79E399}

HKEY_CLASSES_ROOT\appid\{4F0AC159-5804-4aa7-AE91-117D6E67BB9B}

HKEY_CLASSES_ROOT\appid\{4FB6BB00-3347-11d0-B40A-00AA005FF586}

HKEY_CLASSES_ROOT\appid\{5011B6DE-E9FA-4518-B5E5-45DE9DD2CDC6}

HKEY_CLASSES_ROOT\appid\{5123EB69-F99E-461C-B6C3-CE6E825813E8}

HKEY_CLASSES_ROOT\appid\{52E0C5CF-79B2-48BF-90A2-F3EEE591795C}

HKEY_CLASSES_ROOT\appid\{53362C32-A296-4F2D-A2F8-FD984D08340B}

HKEY_CLASSES_ROOT\appid\{554066E6-3F86-4465-BEE0-3463EBD4E895}

HKEY_CLASSES_ROOT\appid\{555751E2-14F7-4B6D-8B22-7776D9F7B1A7}

HKEY_CLASSES_ROOT\appid\{56BE716B-2F76-4dfa-8702-67AE10044F0B}

HKEY_CLASSES_ROOT\appid\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}

HKEY_CLASSES_ROOT\appid\{5AB18D24-F054-4455-9DAF-71A0A0D48B87}

HKEY_CLASSES_ROOT\appid\{5CE55CD8-5179-11D2-931D-0000F875AE17}

HKEY_CLASSES_ROOT\appid\{5D238751-7E51-4F24-9E7D-93C58881B20B}

HKEY_CLASSES_ROOT\appid\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7}

HKEY_CLASSES_ROOT\appid\{5F2F4FF3-9F5E-4774-AF1C-401626772B9D}

HKEY_CLASSES_ROOT\appid\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}

HKEY_CLASSES_ROOT\appid\{6236FF8C-E747-4173-86D3-99F511B61DF3}

HKEY_CLASSES_ROOT\appid\{6295DF2D-35EE-11d1-8707-00C04FD93327}

HKEY_CLASSES_ROOT\appid\{6365B8D6-A90B-4236-AECA-085DC6E15004}

HKEY_CLASSES_ROOT\appid\{63A53A38-004F-489B-BD61-96B5EEFADC04}

HKEY_CLASSES_ROOT\appid\{63A53D79-09D3-4673-90E5-75A0F270983D}

HKEY_CLASSES_ROOT\appid\{63CE6D27-426A-41F9-8E51-549C1132DAE2}

HKEY_CLASSES_ROOT\appid\{64B53D79-09D3-4673-90E5-75A0F270983D}

HKEY_CLASSES_ROOT\appid\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}

HKEY_CLASSES_ROOT\appid\{69AD4AEE-51BE-439b-A92C-86AE490E8B30}

HKEY_CLASSES_ROOT\appid\{6A070EEA-E3F8-411E-9D3A-F3814ED6D1A8}

HKEY_CLASSES_ROOT\appid\{6d8ff8e0-730d-11d4-bf42-00b0d0118b56}

HKEY_CLASSES_ROOT\appid\{73CFF131-CA3B-4654-9640-0F50B3ABA521}

HKEY_CLASSES_ROOT\appid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}

HKEY_CLASSES_ROOT\appid\{76db1bf3-e820-4765-a1b2-0b16a86b1950}

HKEY_CLASSES_ROOT\appid\{783C030F-E948-487D-B35D-94FCF0F0C172}

HKEY_CLASSES_ROOT\appid\{82808CD0-6329-45c9-B168-502F2B9DD0B7}

HKEY_CLASSES_ROOT\appid\{833E4001-AFF7-4AC3-AAC2-9F24C1457BCE}

HKEY_CLASSES_ROOT\appid\{842C0FD4-E740-4514-8565-7946A7A89AB6}

HKEY_CLASSES_ROOT\appid\{84D586C4-A423-11D2-B943-00C04F79D22F}

HKEY_CLASSES_ROOT\appid\{851CCB28-8554-4D67-9F9C-00198C4FA2C4}

HKEY_CLASSES_ROOT\appid\{873394AF-DF99-4FA8-B5F6-DDD91D9A8032}

HKEY_CLASSES_ROOT\appid\{87BB326B-E4A0-4DE1-94F0-B9F41D0C6059}

HKEY_CLASSES_ROOT\appid\{8B4B437E-4CAB-4e83-89F6-7F9F7DF414EA}

HKEY_CLASSES_ROOT\appid\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

HKEY_CLASSES_ROOT\appid\{8C482DCE-2644-4419-AEFF-189219F916B9}

HKEY_CLASSES_ROOT\appid\{9338AA50-B293-4CE9-B284-8A5E9E8FF901}

HKEY_CLASSES_ROOT\appid\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}

HKEY_CLASSES_ROOT\appid\{995C996E-D918-4a8c-A302-45719A6F4EA7}

HKEY_CLASSES_ROOT\appid\{99ED6837-E8B5-42cf-9434-B15BDEF08E45}

HKEY_CLASSES_ROOT\appid\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}

HKEY_CLASSES_ROOT\appid\{9C52D5C7-F8F6-4f58-A0CD-C5E6991AD256}

HKEY_CLASSES_ROOT\appid\{9E6AF5D5-3516-41c0-91C7-6460D2362198}

HKEY_CLASSES_ROOT\appid\{A019B71E-8FF7-4704-A894-3D6B695C73AC}

HKEY_CLASSES_ROOT\appid\{A1E75357-881A-419E-83E2-BB16DB197C68}

HKEY_CLASSES_ROOT\appid\{A1F4E726-8CF1-11D1-BF92-0060081ED811}

HKEY_CLASSES_ROOT\appid\{A24328B5-E641-4C0F-873F-335473D32A2A}

HKEY_CLASSES_ROOT\appid\{A49DF62A-9BCE-11D4-885E-0010B542B8BB}

HKEY_CLASSES_ROOT\appid\{A55803CC-4D53-404c-8557-FD63DBA95D24}

HKEY_CLASSES_ROOT\appid\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}

HKEY_CLASSES_ROOT\appid\{A9D431C2-6D56-4727-9690-ADBE66B9184A}

HKEY_CLASSES_ROOT\appid\{AB0072AE-463B-4B48-921F-B42887EF97C9}

HKEY_CLASSES_ROOT\appid\{AC28CEF0-AC90-11D3-A58F-0000E83DCE84}

HKEY_CLASSES_ROOT\appid\{AC35E951-4A8F-4F6D-B7DD-99C808030969}

HKEY_CLASSES_ROOT\appid\{AEC2FCBB-EB50-47A0-96C0-5974EB3FF046}

HKEY_CLASSES_ROOT\appid\{B098B208-FCCE-4FD4-98BF-C241D2EEB56E}

HKEY_CLASSES_ROOT\appid\{B0E28D63-52F6-4E30-992B-78ECF97268E9}

HKEY_CLASSES_ROOT\appid\{B1B9CBB2-B198-47E2-8260-9FD629A2B2EC}

HKEY_CLASSES_ROOT\appid\{B2725CF7-D66F-4A99-8D4A-8EC9478C337A}

HKEY_CLASSES_ROOT\appid\{B292921D-AF50-400c-9B75-0C57A7F29BA1}

HKEY_CLASSES_ROOT\appid\{B366DEBE-645B-43A5-B865-DDD82C345492}

HKEY_CLASSES_ROOT\appid\{B3F97836-A515-4ea6-BE06-4F1428C317C7}

HKEY_CLASSES_ROOT\appid\{B8C54A54-355E-11D3-83EB-00A0C92A2F2D}

HKEY_CLASSES_ROOT\appid\{B93C1D78-DAD0-4C93-BE0B-9A91E0A8301F}

HKEY_CLASSES_ROOT\appid\{B9A37974-B9D3-4614-B12E-06CAA52FD9C7}

HKEY_CLASSES_ROOT\appid\{BB07BACD-CD56-4E63-A8FF-CBF0355FB9F4}

HKEY_CLASSES_ROOT\appid\{BB7CDE7C-5FB0-46E5-A3F4-EF118FACE08B}

HKEY_CLASSES_ROOT\appid\{BBAA0E44-3862-490C-8E63-AC2D2D6EF733}

HKEY_CLASSES_ROOT\appid\{BD72192B-EE67-4BDF-8F0E-224A895939C0}

HKEY_CLASSES_ROOT\appid\{BF065D17-DD25-44F9-BBA3-69A00283AB63}

HKEY_CLASSES_ROOT\appid\{C0359F8F-FC4F-4292-A4B3-C3B3C60DE57B}

HKEY_CLASSES_ROOT\appid\{C03E0431-0CA9-46B8-95FB-CDE2E93888C5}

HKEY_CLASSES_ROOT\appid\{C2B96968-8E30-4BA4-A8F9-F40D09D1EA7E}

HKEY_CLASSES_ROOT\appid\{C3E7A4D2-AF8B-11D2-BD0F-00C04F72DBBC}

HKEY_CLASSES_ROOT\appid\{C49F2185-50A7-11D3-9144-00104BA11C5E}

HKEY_CLASSES_ROOT\appid\{C8449F19-89E4-4D7C-80E6-845874CB936E}

HKEY_CLASSES_ROOT\appid\{CDB70B7B-A0A0-41B8-A9BA-D59343D46BFD}

HKEY_CLASSES_ROOT\appid\{ce166e40-1e72-45b9-94c9-3b2050e8f180}

HKEY_CLASSES_ROOT\appid\{CF6067D7-D10C-4767-B04C-148E6EBB1574}

HKEY_CLASSES_ROOT\appid\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}

HKEY_CLASSES_ROOT\appid\{d0566dae-465f-46a5-8c0e-fb9d5ea4fd0d}

HKEY_CLASSES_ROOT\appid\{D215781D-019E-4FA0-903D-0CDCDE13A4F5}

HKEY_CLASSES_ROOT\appid\{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\appid\{D3E34B21-9D75-101A-8C3D-00AA001A1652}

HKEY_CLASSES_ROOT\appid\{D455FA37-74F9-4A75-BD79-48659B12A1D6}

HKEY_CLASSES_ROOT\appid\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}

HKEY_CLASSES_ROOT\appid\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\appid\{D5978630-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\appid\{D5978640-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\appid\{D5978650-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\appid\{D61A27C1-8F53-11D0-BFA0-00A024151983}

HKEY_CLASSES_ROOT\appid\{D71CBC24-F638-4606-9023-E11891FA52D7}

HKEY_CLASSES_ROOT\appid\{D77C1A8E-0B60-4A8B-B78C-852F42B70CE8}

HKEY_CLASSES_ROOT\appid\{DC1821D5-18CB-40A0-83C6-7A09FA0B3D03}

HKEY_CLASSES_ROOT\appid\{DC49F5B4-E4EB-4ED4-A15B-26FE03C9B7E7}

HKEY_CLASSES_ROOT\appid\{DCBCADF5-DB1b-4764-9320-9a5082af1581}

HKEY_CLASSES_ROOT\appid\{DE5DBCDC-104A-4cbc-A4D5-0C2104A142C5}

HKEY_CLASSES_ROOT\appid\{E03E4D6B-DFF0-4A60-BB87-D0B2C12CFEAF}

HKEY_CLASSES_ROOT\appid\{e30984f1-b02b-4c27-a40f-23d11b8c1212}

HKEY_CLASSES_ROOT\appid\{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}

HKEY_CLASSES_ROOT\appid\{E495081B-BBA5-4b89-BA3C-3B86A686B87A}

HKEY_CLASSES_ROOT\appid\{E4A51076-BCD3-11D4-AB7D-00B0D02332EB}

HKEY_CLASSES_ROOT\appid\{E5E7EBBC-D7DD-49FA-996C-D8E254541284}

HKEY_CLASSES_ROOT\appid\{E64B9750-B96E-48E0-B698-0A2E0F638256}

HKEY_CLASSES_ROOT\appid\{ECABB0C3-7F19-11D2-978E-0000F8757E2A}

HKEY_CLASSES_ROOT\appid\{ECABB0C6-7F19-11D2-978E-0000F8757E2A}

HKEY_CLASSES_ROOT\appid\{ED6BB178-B06A-47ad-98B3-6066E0CF0147}

HKEY_CLASSES_ROOT\appid\{F15FFFBD-FC14-40E6-88B7-AA7E73FEB112}

HKEY_CLASSES_ROOT\appid\{F4D6C3EB-304E-4B0C-8BCE-F6B9E974CD17}

HKEY_CLASSES_ROOT\appid\{F58088EA-D0B0-421F-A1FE-3CF5898051D6}

HKEY_CLASSES_ROOT\appid\{f74bce98-9eb4-4022-8317-11c723e5ccf8}

HKEY_CLASSES_ROOT\appid\{F808DF63-6049-11D1-BA20-006097D2898E}

HKEY_CLASSES_ROOT\appid\{F98206B5-F052-4965-9FA0-85F61BC3C19D}

HKEY_CLASSES_ROOT\appid\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}

HKEY_CLASSES_ROOT\appid\{FB74D869-2D98-447A-A9D8-DBFB0DFDF4E7}

HKEY_CLASSES_ROOT\appid\{FBF23B40-E3F0-101B-8488-00AA003E56F8}

HKEY_CLASSES_ROOT\appid\{FC7D9E01-3F9E-11D3-93C0-00C04F72DAF7}

HKEY_CLASSES_ROOT\appid\{FD1E8288-F0F0-4BD6-BCEA-5F2FEA0456F1}

HKEY_CLASSES_ROOT\appid\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » October 4th, 2009, 3:56 am

Copy the contents of the Code box to notepad. Save as Create RP.vbs

Double click on Create RP.vbs to run it.

Code: Select all
Dim fso,Wshshell
Set Wshshell=Wscript.CreateObject("Wscript.shell")
Set fso = Wscript.CreateObject("scripting.Filesystemobject")
set SRP = getobject("winmgmts:\\.\root\default").InstancesOf ("systemrestore")
for each Point in SRP
Msg = Msg & WMIDateStringToDate(point.creationtime) & vbcrlf & point.description & vbcrlf & "Sequence Number= " & point.sequencenumber & vbcrlf


next
set rp = fso.CreateTextFile("rps.txt" ,true)
rp.Writeline "BEFORE:" 
rp.write msg

msg = ""



Set TRP = getobject("winmgmts:\\.\root\default:Systemrestore")
TestRP = TRP.createrestorepoint ("Test Wmi Restore Point", 0, 100)

IF TestRP  <> 0 then rp.writeLine "Error#:" & TestRP


set SRP = getobject("winmgmts:\\.\root\default").InstancesOf ("systemrestore")
for each Point in SRP
Msg  = Msg  &  WMIDateStringToDate(point.creationtime) & vbcrlf & point.description & vbcrlf & "Sequence Number= " & point.sequencenumber & vbcrlf


next
rp.WriteLine "AFTER:"
rp.write msg

rp.close

MsgBox "Done!"
Function WMIDateStringToDate(A)
 WMIDateStringToDate = CDate(Mid(A, 5, 2) & "/" & _
 Mid(A, 7, 2) & "/" & Left(A, 4) _
 & " " & Mid (A, 9, 2) & ":" & _
 Mid(A, 11, 2) & ":" & Mid(A, _
 13, 2))
End Function




When finished, you'll see a Done message box. After you press the OK button, open the file named rps.txt (this will be located in the same folder as the script you just ran.) Copy and paste rhe contents of rps.txt into your next reply here. Or you may possibly just get an error message. If that's the case, please copy and paste that error message into your next reply. To do that, while the error message has focus on your screen, press CTRL + C to copy to the clipboard.Then paste into your next reply.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » October 4th, 2009, 11:43 pm

Hello - ran the file Create RP.vbs - see rps.txt file below

=================================================
rps.txt file
=================================================
BEFORE:
Error#:3
AFTER:
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » October 6th, 2009, 10:49 am

Hello!

Can you have go into services.msc and find the System Restore Service. Then check to see if it is enabled and running. If not, then enable and try to start it. If it starts, good. If it doesn't, it should produce an error, please copy and paste that the error message here.


If it is already started, then wait for further instructions.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » October 7th, 2009, 9:45 am

Hello - System Restore Service was set at automatic. I was able to 'Stop' and 'Restart' System Restore Service. NO errors.
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » October 9th, 2009, 11:28 am

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :file
    srwmi.dll
    
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » October 9th, 2009, 8:52 pm

Hello - ran systemlook and rc'd the following .txt file

==========================================================
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 17:48 on 09/10/2009 by TENMEG (Administrator - Elevation successful)

========== file ==========

srwmi.dll - Unable to find/read file.

-=End Of File=-
============================================================
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » October 10th, 2009, 1:55 pm

I would like theyou to please go to start >Run and type msconfig, then press enter.

When msconfig opens, click the launch system restore button.

Click on the radio button labelled Restore my computer to an earliertime. Then press the next button.

When the page with the calendar appears, see if there is any available restore points. Report back on whether or not there are any restore points listed. Do nothing else. Do not try to attempt a system restore at this time. Once I see that, we'll go further, first testing System restore on its own to see if it's in working order.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » October 11th, 2009, 1:48 pm

Hello - ran the sys restore - there are NO restore dates - Hmmm - I was fooled into believing it was working.
===========================================================================================
Here is something that has happened during the past week, maybe it was the previous week - anyway I was working on my computer and one of those annoying, scanning popups appeared - it started scanning my hd and said it was infected with various trojans, etc. - I immediately closed the browser - it did not reappear when I restarted my browser. I started noticing that my computer was slowing down over the past week - couple days ago I got a email from ebay saying my ebay password had been compromised - they scrambled it and ebay asked me to create a new password - that got me to thinking how did my password get compromised and what did that really mean - then I thought about the scanning popup and wondered if the two incidents were connected - Friday my AV program said it had found a trojan by the name of sdra64.exe - I looked it up on the internet and found this site http://www.pcanswers.co.uk/blog/sdra64e ... e-21-05-09 - it explain what sdra64.exe was and how it worked - one of it's features was your AV could delete it but it would reinfect itself if it was removed - the web site also gave a manual way to remove it so it would not reload itself - I tried that and it got rid of it and my computer speed returned - I then looked at my AV history to see what it showed - AVG has something called VirusVault - in addition to the sdra64.exe trojan there was something called 'CCSkeys.exe' and 'avira_antivir_personal_en.exe in the Vault that were labled infected - I could not find 'CCSkeys.exe' or 'avira_antivir_personal_en.exe' - there was a file called 'lowsec' in windows/system32 that was associated to the sdra64 trojan - that folder held several .ds files - I erased one of the .ds files but saved one to see if you were interested in seeing what type of data was in that file - I don't have anything that will read a .ds file - I did not want to download any program for reading .ds files - I tried to keep it short.
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » October 14th, 2009, 2:50 pm

Hello!

Sorry for the delay.

In light of this information best solution is to reformat and reinstall Windows. Did you read the information about the sdra64.exe trojan? This is the speech i give when i see this trojan.



BACKDOOR TROJAN

I'm afraid I have some bad news for you. Your computer is infected with BACKDOOR TROJAN. Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an Idea of the severity of the type of infection you have.

What are Remote Access Trojans and why are they dangerous

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.


How do I respond to a possible identity theft and how do I prevent it


Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows.

Further reading:

When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 20 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware