Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't remove WinTools from registry-Huntbar remains

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby madmurph » April 29th, 2005, 3:17 pm

It was running incredibly slow, to not at all, with numerous popups. As we have worked through these problems, the speed, especially at logon, has increased substantially. After connecting to the network, mal- and spyware starts showing back up on system scan; renegade files start showing up (esp. in System32 folder), and the speed slows, esp at first logon, or launch of IE. SpyBot always shows a file, Huntbar, in the Uninstall registry, which it can't delete. One spyware program will show "clean" then another program will show spyware files. Finally, when running CleanUp!, I noticed it was getting hits on files stored in "RECYCLER" . That is when I noticed the issue with the Recycle Bin icon on Whitneys account, and the odd icon for RECYCLER in the root directory.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal
Advertisement
Register to Remove

Unread postby 3162 » April 29th, 2005, 3:25 pm

OK, we'll deal with things one at a time.

Please post the results of SpybotS&D log, for items non-cleanable only.

thanks
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » April 29th, 2005, 4:39 pm

Here's the spybot log (from Whitney's account): I didn't clean the hits yet, which are the same ones, among others, that show up repeatedly, regardless of prior cleaning efforts.

SpyBot Log:


--- Search result list ---
Avenue A, Inc.: Tracking cookie (Internet Explorer: Whitney) (Cookie, nothing done)


HuntBar: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools

WildTangent: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-04-27 Includes\Dialer.sbi
2005-04-27 Includes\Hijackers.sbi
2005-04-15 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-04-27 Includes\Malware.sbi
2005-04-27 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-04-27 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-04-27 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ MSXML4: Patch Available For XMLHTTP Vulnerability
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, AdaptecDirectCD
command: "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
file: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
size: 684032
MD5: 98b9c6e3225d94ab34e4d6a64f91f391

Located: HK_LM:Run, AudioHQ
command: C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
file: C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
size: 180224
MD5: a2bd6fbaf266da4ad0cafa542e11a934

Located: HK_LM:Run, Disc Detector
command: C:\Program Files\Creative\ShareDLL\CtNotify.exe
file: C:\Program Files\Creative\ShareDLL\CtNotify.exe
size: 189952
MD5: 64e86fbc8b24d2946e4a930197d61fae

Located: HK_LM:Run, gcasServ
command: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
file: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
size: 473920
MD5: e519945deb3875341d36db0ea141e0c5

Located: HK_LM:Run, McAfeeUpdaterUI
command: "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
file: C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
size: 135251
MD5: a5123363892c9fd682dcac6b450a991c

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, ShStatEXE
command: "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
file: C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
size: 81990
MD5: f0814bd93969e2283a240ad4c6a04843

Located: HK_LM:Run, Speed racer
command: C:\Program Files\Creative\PlayCenter\CTSRReg.exe
file: C:\Program Files\Creative\PlayCenter\CTSRReg.exe
size: 5632
MD5: 8c21a9d01b5f44556ed27ba2964d1ff9

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 176173
MD5: 1fc13ec1fdce2b9a6f859ccb62fdfcba

Located: HK_LM:Run, WinampAgent
command: "C:\Program Files\Winamp3\winampa.exe"

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a



--- Browser helper object list ---


--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 8/21/2003 11:29:24 AM
Date (last access): 4/29/2005 12:53:58 PM
Date (last write): 6/15/2004 10:42:28 AM
Filesize: 360504
Attributes: archive
MD5: F88CD154B9627646E9DDA1679155E4E3
CRC32: 5B04FF79
Version: 0.6.0.5

{0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class)
DPF name:
CLSID name: sys Class
description: Gateway tools
classification: Unknown
known filename: PCPITSTOP.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: PCPitStop.dll
Short name: PCPITS~1.DLL
Date (created): 7/9/2002 9:19:42 AM
Date (last access): 4/29/2005 12:56:36 PM
Date (last write): 7/9/2002 9:19:42 AM
Filesize: 241664
Attributes: archive
MD5: DA93A10A75A3B8E4B962A6225E8E7735
CRC32: 28A819FE
Version: 0.1.0.0

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 8/30/2003 8:13:46 PM
Date (last access): 4/27/2005 10:43:58 AM
Date (last write): 2/11/2003 6:02:58 AM
Filesize: 32768
Attributes: archive
MD5: 92FA0AE21D3A08B65D291724AA7D0E43
CRC32: 7B63A9DB
Version: 0.8.0.5

{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class)
DPF name:
CLSID name: MSSecurityAdvisor Class
Path: C:\WINDOWS\System32\
Long name: mssecadv.dll
Short name:
Date (created): 9/8/2004 5:38:54 PM
Date (last access): 4/28/2005 9:18:20 AM
Date (last write): 9/8/2004 5:38:54 PM
Filesize: 36960
Attributes: archive
MD5: DF203DE80E2E1C9D38492B590B00BB1D
CRC32: 4A7CC4B5
Version: 0.5.0.4

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 6/9/2004 4:56:02 PM
Date (last access): 4/27/2005 9:23:58 AM
Date (last write): 6/9/2004 4:56:02 PM
Filesize: 435712
Attributes: archive
MD5: DCFFCA7F818B4CF4DF29B8932907735D
CRC32: 89BBB9BF
Version: 0.5.0.70

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2\bin\
Long name: NPJPI142.dll
Short name:
Date (created): 2/10/2005 7:16:12 PM
Date (last access): 4/27/2005 9:23:58 AM
Date (last write): 2/10/2005 7:16:12 PM
Filesize: 65636
Attributes: archive
MD5: 4ACFBF6AB1BBE79DBD665C186B3B5AFD
CRC32: BE89D675
Version: 0.1.0.4

{99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst)
DPF name:
CLSID name: StartFirstControl.CheckFirst
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Long name: StartFirstControl.ocx
Short name: STARTF~1.OCX
Date (created): 7/24/2001 10:34:04 AM
Date (last access): 4/27/2005 12:29:02 PM
Date (last write): 7/24/2001 10:34:04 AM
Filesize: 39072
Attributes: archive
MD5: 863F2079CBF499426AD11F4E1E657E63
CRC32: 608F8F44
Version: 0.1.0.0

{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2
Path: C:\Program Files\Java\j2re1.4.2\bin\
Long name: NPJPI142.dll
Short name:
Date (created): 2/10/2005 7:16:12 PM
Date (last access): 4/29/2005 1:33:38 PM
Date (last write): 2/10/2005 7:16:12 PM
Filesize: 65636
Attributes: archive
MD5: 4ACFBF6AB1BBE79DBD665C186B3B5AFD
CRC32: BE89D675
Version: 0.1.0.4

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 2/24/2003 4:20:36 PM
Date (last access): 4/27/2005 12:29:04 PM
Date (last write): 6/9/2004 4:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 4/29/2005 1:33:37 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 368 ( 628) alg.exe
PID: 504 ( 4) \SystemRoot\System32\smss.exe
PID: 560 ( 504) csrss.exe
PID: 584 ( 504) \??\C:\WINDOWS\system32\winlogon.exe
PID: 628 ( 584) C:\WINDOWS\system32\services.exe
PID: 640 ( 584) C:\WINDOWS\system32\lsass.exe
PID: 660 (1416) C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
PID: 768 (1416) C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
PID: 812 ( 628) C:\WINDOWS\system32\svchost.exe
PID: 824 (1416) C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
PID: 864 ( 628) svchost.exe
PID: 936 ( 628) C:\WINDOWS\System32\svchost.exe
PID: 992 ( 628) svchost.exe
PID: 1100 ( 628) svchost.exe
PID: 1172 (1116) C:\WINDOWS\system32\devldr32.exe
PID: 1280 ( 628) C:\WINDOWS\system32\LEXBCES.EXE
PID: 1308 ( 628) C:\WINDOWS\system32\spoolsv.exe
PID: 1332 (1280) C:\WINDOWS\system32\LEXPPS.EXE
PID: 1416 (1116) C:\WINDOWS\Explorer.EXE
PID: 1476 ( 628) C:\WINDOWS\System32\cisvc.exe
PID: 1496 ( 628) C:\WINDOWS\System32\CTsvcCDA.exe
PID: 1548 ( 628) C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PID: 1624 ( 628) C:\Program Files\Network Associates\VirusScan\Mcshield.exe
PID: 1648 ( 628) C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
PID: 1688 ( 628) C:\WINDOWS\System32\nvsvc32.exe
PID: 1720 ( 812) naPrdMgr.exe
PID: 1792 ( 628) C:\WINDOWS\System32\svchost.exe
PID: 1856 ( 628) wdfmgr.exe
PID: 1940 (1416) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 1980 (1416) C:\Program Files\Creative\ShareDLL\CtNotify.exe
PID: 2032 (1416) C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
PID: 2044 (1416) C:\Program Files\QuickTime\qttask.exe
PID: 2088 ( 812) C:\Program Files\Creative\ShareDLL\MediaDet.Exe
PID: 2160 ( 812) C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
PID: 2644 (1416) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3060 (1476) C:\WINDOWS\system32\cidaemon.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 4/29/2005 1:33:37 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://home.microsoft.com/search/search.asp
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *

Protocol 6: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 8: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{568FE285-58D4-45EA-9FBA-8283A78F9FA5}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{568FE285-58D4-45EA-9FBA-8283A78F9FA5}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{92C6C958-0850-4ECC-BAD0-281D61A0BDE6}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{92C6C958-0850-4ECC-BAD0-281D61A0BDE6}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D13386DA-B5A2-448B-B253-A4B32DB57A10}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D13386DA-B5A2-448B-B253-A4B32DB57A10}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F08E4B06-731D-448F-8C8B-C17319CFA6C2}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F08E4B06-731D-448F-8C8B-C17319CFA6C2}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F8F99D83-ED32-4C74-96B3-7F103918DBA2}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F8F99D83-ED32-4C74-96B3-7F103918DBA2}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{22F5EBE1-0182-429D-AF8F-B8E8CC212D8D}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{22F5EBE1-0182-429D-AF8F-B8E8CC212D8D}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » April 29th, 2005, 6:07 pm

Alrighty,

Please go to Add/Remove programs in Control Panel and remove, if found:
WinTools

Copy contents of code box below to a notepad file, name it WinToolsRemove.reg and save to desktop as FileType .*. AllFiles.
Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools]

Now doubleclick WinToolsRemove.reg and allow it to Add/Merge with registry when prompted.

Next, open IE,
Click Tools
Internet Options
Tab to Advanced.
Scroll down to MicrosoftVM and uncheck any boxes which are checked.
Click OK
Reboot when prompted.

Run Spybot again, and post the non-cleanable items only.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » April 29th, 2005, 6:47 pm

reg file run as directed. Rebooted and Avenue A reappeared though "fixed" on prev. SpyBot run. Fixed again, here's the log:


--- Search result list ---
Avenue A, Inc.: Tracking cookie (Internet Explorer: Whitney) (Cookie, fixed)


HuntBar: Uninstall settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools


Rest of log removed, only asked for non-cleanable items
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » April 29th, 2005, 7:03 pm

I'm not dealing with AvenueA cookie right now. As I said, one thing at a time.

Click Start
Run
Type in regedit
Click Enter

In left pane of registry editor, navigate to (expand hives by clicking + next to each item in tree)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools

Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Run spybot again, post the non-cleanable items from list please.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 2nd, 2005, 12:45 pm

Good day Sir,
Clicking on the HKLM entry WinTools returns an "Error Opening Key" - cannot open WinTools: Error while opening key. Clicked OK

Edit>Permissions returns "Security" - You do not have permission to view the current permission settings for WinTools but you can make permission changes. Clicked OK

"Allow Inheritable Permissions" does not appear anywhere.

In the permissions dialog box, the permission holders area is empty. The permission boxes cannot be selected. Clicking the "Advanced" button, then the "Permissions" tab, there are no permission entiries and the box "Inherit from parent the permission entries that apply to child objects" is checked.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby madmurph » May 2nd, 2005, 12:49 pm

I omitted by error, when clicking the Advanced button, then the "Owner" tab, under "current owner" it shows - unable to display current owner.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby madmurph » May 6th, 2005, 10:22 am

Could I have the courtesy of a status on this thread? I sent a private e- two days ago and have heard nothing. Thank you in advance.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 6th, 2005, 10:32 am

Hello,
sorry, but I haven't received any email notifications on this one, or PM's, but I'll review it again to see what our next course of action will be.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby 3162 » May 6th, 2005, 11:39 am

OK, let's do this a little differently.
This procedure might best be done in Safe Mode, logged in as Administrator

Open regedit and Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and highlight it by l-clicking once.
Then change the permissions for that Key to allow full control.

Then navigate down to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools highlight it, r-click and delete.

Let me know if that allows you to delete the Key.
Last edited by 3162 on May 6th, 2005, 4:30 pm, edited 1 time in total.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 6th, 2005, 2:37 pm

It might be noted that I indicated having tried this at the top of page 4, of this thread. Also as previously noted, there are no permission entries under "Group or user names:", or the advanced tab, Permissions, "Permission entries:". When I attempt to add Administrator and grant full permissions, I get the error: "Unable to save permission changes on WinTools, Access is denied." If, under Advanced>Permissions, I uncheck "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here", then check "Replace permission enties on all cheld objectgs with enties shown here that apply to child objects" I get a warning: "This will remove explicitly defiend permissions on all child objects and enable propagation of inheritable permissions to those chled objects. Onlyu inheritable permissions propagated from WinTools will take effect. Do you wish to continue?" I checked "no" and sent this message instead.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 6th, 2005, 3:32 pm

Open regedit and Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools
and highlight it.

Now go to File
Export
save it named WinTools.txt filetype .*. allFiles, save it to Desktop.

Post the contents of that text file please.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 6th, 2005, 4:03 pm

Attempting to export the registry returns the following error message - Export Registry File: "The selected branch does not exist. Make sure that the correct path is given."
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 6th, 2005, 4:29 pm

Well that makes no sense! If you can navigate to it and physically see it there, how can it not exist?
I'll research that one some more in the 'back rooms'.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware