Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't remove WinTools from registry-Huntbar remains

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby madmurph » May 6th, 2005, 4:42 pm

Amen!
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal
Advertisement
Register to Remove

Unread postby 3162 » May 7th, 2005, 7:54 am

Please download, unzip and install RegDACL

Copy this Line
RegDACL "hklm\Software\Microsoft\Windows\CurrentVersion" /L > Result.txt

In ProgramFiles click RegDACL.exe to run it >> this will open a DOS window.

RightClick over the DOS cursor. This will paste the line you just copied.
Click Enter
Now copy this line:
Result.txt notepad
r-click to paste it, then click Enter

Copy contents of the text file and post them here please.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 9th, 2005, 1:32 pm

d/l'd and extracted RegDACL. Double-clicking setup returns the following error: "16 bit Windows Subsystem": C:\Windows\System32\Autoexec.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applicatons. Choose 'Close' to terminate teh application.

I clicked "Ignore", but nothing happened; there is nothing new in the program files.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 9th, 2005, 5:31 pm

The Microsoft recommended fix for that error message is located here:
http://support.microsoft.com/default.as ... -us;324767

Alternatively, if autoexec.nt is missing or damaged, you can download it here
Unzip it, then insert or replace autoexec.nt into the System32 Folder, then RegDACL should work for you.

What I'm trying to do is see how far back up the registry hives we need to go, in order to reset the permissions.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 9th, 2005, 6:58 pm

Excellent call -- missing autoexec.nt file. "Result text" as follows:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\Software\Microsoft\Windows\CurrentVersion:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 9th, 2005, 7:55 pm

OK good,

Run RegDACL again, and copy this line into it:

RegDACL "hklm\Software\Microsoft\Windows\CurrentVersion" /Propagate
Click Enter

When it returns a prompt, type Exit >>enter.

Then try to manually delete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools

I have something else up my sleeve if that doesn't work ;)
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 10th, 2005, 1:25 pm

ran as directed. RegDACL returned the error: "\propagate" is only available in the registered version.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 10th, 2005, 9:14 pm

OK, let's try a different approach.

Please download this file

It is a self-extracting file. Double click it and it will create a folder named:
C:\wintools help and then C:\wintools help will open.

There's a readme in there, with specific instructions to follow closely. Here is a copy of the Read Me file:

If you have Regedit open Close it or this will not work.

After extracting this folder, double click on restore perms.bat and let it run. It will be very fast and likely just be a quick flash on the screen.

Then look at the clock in systray and wait for the minute to turn over. When it does, double click on Open regedit with priv.vbs

If you get a message about a malicious script running, ignore it and allow this to run.

It will run invisibly and you will have a wait of a minute or two.

Then the registry will open. But this will be a special version of the registry running under System. Be careful.

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools


Right click on WinTools and click delete on the menu. Seeif it just deletes and you get no messages.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 11th, 2005, 2:09 pm

Ran the priv.vbs file, I got an "error line 5" (sorry, I didn't copy the rest of the error notice -- a kernal number I believe). I clicked OK and nothing happened. I re-ran the .bat file and the .vbs file again, this time no error report and no response. I tried running after a restart, and then after a complete shutdown, and still no response. The regeditor never opened. I went to Control panel > add/rem programs and WinTool was listed. I clicked "remove" and it said the file didn't exist, did I want to remove it from the list? I clicked "yes", then reinstalled the WinTool help program. Still no response, but this time I got a script error. "Windows Script Host": Script: C:\WinTools help/open regedit with priv.vbs; Line: 34; Char: 1; Error: File not found; Code: 800A0035; Source: MS VB script runtime error.

Upon checking the registry,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools

the suspect folder is now gone without my going thru regedit to delete it. Ran SpyBot -- no threats found. Huntbar is gone! Just gets curiouser and curiouser. Next step?
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 11th, 2005, 2:55 pm

I'll look into the errors you reported, but as long as that one is gone, that's a good thing.

What other problems remain now?
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 11th, 2005, 5:03 pm

CoolWebSearch is still popping up as registry entries, though removed on prev. scans. The other is the Recycle bin and Recycler file (which no longer shows the correct file icon in the root directory, ref. pg. 5 of this thread, nor the "s" files normally found within, although CleanUp! "sees" them and id'd malware files in that locale. The recycler shows a modification date of March 14, which is about the time all these other Malware issues surfaced. In "Recycle Bin Properties", the box for "Remove immediately..." etc. is unchecked. However when moving items to the Recycle Bin, they delete immediately. On Whitney's account, the icon always shows "full" regardless of activity or attempts to change the icon. Thanx for all you folks do.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 11th, 2005, 5:36 pm

First, let's replace windows Scripting to see if the .vbs script I gave you will run:
Go here and download, then install Script host 5.6

http://www.microsoft.com/downloads/deta ... laylang=en

Then let's mess with recycle bin next. Two separate repairs.
You know what to do...copy contents of code box....save as .reg file, filetype .*. all files, then double click and allow to merge with registry.

Restore empty/full icons:
Code: Select all

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
@="Shell32.dll,31"
"Full"="Shell32.dll,32"
"Empty"="Shell32.dll,31"



Replace/repair recycle bin:

Code: Select all
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"
"InfoTip"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
  6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
  00,53,00,48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,\
  2d,00,32,00,32,00,39,00,31,00,35,00,00,00
"SortOrderIndex"=dword:00000060
"IntroText"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
  6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
  00,53,00,48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,\
  2d,00,33,00,31,00,37,00,34,00,38,00,00,00
"LocalizedString"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
  6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
  00,5c,00,53,00,48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
  2c,00,2d,00,38,00,39,00,36,00,34,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
  65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,31,00,00,\
  00
"Empty"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,\
  68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,31,\
  00,00,00
"Full"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,\
  68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,32,\
  00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder]
"Attributes"=hex:40,01,00,20
"CallForAttributes"=dword:00000040
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 11th, 2005, 7:28 pm

reinstalled script editor; program still did not run. Installed reg key changes; no effect on "Recycle Bin" or "Recycler folder". I know it wasn't requested but, ran AdAware showing the 'hits' in the Recycler Folder -- see "eUniverse Object Recognized!". Log as follows:


Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, May 11, 2005 2:38:33 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
ClickSpring(TAC index:6):1 total references
eUniverse(TAC index:10):1 total references
PeopleOnPage(TAC index:9):4 total references
Tracking Cookie(TAC index:3):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-11-2005 2:38:33 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 500
ThreadCreationTime : 5-11-2005 9:22:00 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 5-11-2005 9:22:02 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 628
ThreadCreationTime : 5-11-2005 9:22:03 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 5-11-2005 9:22:03 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 808
ThreadCreationTime : 5-11-2005 9:22:03 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 932
ThreadCreationTime : 5-11-2005 9:22:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1252
ThreadCreationTime : 5-11-2005 9:22:06 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 5-11-2005 9:22:06 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [cisvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1468
ThreadCreationTime : 5-11-2005 9:22:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:10 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1488
ThreadCreationTime : 5-11-2005 9:22:12 PM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:11 [frameworkservice.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1532
ThreadCreationTime : 5-11-2005 9:22:12 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Framework Service
InternalName : Framework
LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : Framework.exe

#:12 [mcshield.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1592
ThreadCreationTime : 5-11-2005 9:22:12 PM
BasePriority : High


#:13 [vstskmgr.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1640
ThreadCreationTime : 5-11-2005 9:22:12 PM
BasePriority : Normal


#:14 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1688
ThreadCreationTime : 5-11-2005 9:22:12 PM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:15 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1784
ThreadCreationTime : 5-11-2005 9:22:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2452
ThreadCreationTime : 5-11-2005 9:29:56 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:17 [devldr32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3848
ThreadCreationTime : 5-11-2005 9:36:36 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 21
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © 1997-2001 Creative Technology Ltd.
OriginalFilename : DevLdr32.exe

#:18 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3860
ThreadCreationTime : 5-11-2005 9:36:37 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:19 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 3932
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 5.3.2.35
ProductVersion : 5.3.2.35
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:20 [ahqtb.exe]
FilePath : C:\Program Files\Creative\SBLive\AudioHQ\
ProcessID : 3960
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 1.3.0
ProductVersion : 1.3.0
ProductName : AudioHQ
CompanyName : Creative Technology Ltd.
FileDescription : Creative AudioHQ
InternalName : AHQTaskBar
LegalCopyright : Copyright (c) Creative Technology Ltd. 1997-1999
OriginalFilename : AHQTb.exe
Comments : Creative AudioHQ

#:21 [ctnotify.exe]
FilePath : C:\Program Files\Creative\ShareDLL\
ProcessID : 3968
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 1.55.0.0
ProductVersion : 1.55
ProductName : Creative Disc Detector
CompanyName : Creative Technology Ltd.
FileDescription : Disc Detector
InternalName : CtNotify
LegalCopyright : Copyright (c) 1999 Creative Technology Ltd.
OriginalFilename : CtNotify.exe
Comments : CtNotify Entry

#:22 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 3976
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2003
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:23 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 3984
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:24 [shstat.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 3992
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal


#:25 [updaterui.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 4000
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe

#:26 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 4020
ThreadCreationTime : 5-11-2005 9:36:40 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:27 [mediadet.exe]
FilePath : C:\Program Files\Creative\ShareDLL\
ProcessID : 1292
ThreadCreationTime : 5-11-2005 9:36:41 PM
BasePriority : Normal
FileVersion : 1.55.2.0
ProductVersion : 1.55
ProductName : Creative Disc Detector
CompanyName : Creative Technology Ltd.
FileDescription : Disc Detector
InternalName : MediaDet
LegalCopyright : Copyright (c) 1998 Creative Technology Ltd.
OriginalFilename : MediaDet.exe
Comments : Local Server

#:28 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 792
ThreadCreationTime : 5-11-2005 9:36:42 PM
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:29 [realonemessagecenter.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 2128
ThreadCreationTime : 5-11-2005 9:36:50 PM
BasePriority : Idle
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Event Launcher
InternalName : wrapperapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2003
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realevent.exe

#:30 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2288
ThreadCreationTime : 5-11-2005 9:38:10 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@as-us.falkag[1].txt
Category : Data Miner
Comment : Hits:11
Value : Cookie:whitney@as-us.falkag.net/
Expires : 3-22-2006 6:27:40 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@premiumnetworkrocks.valuead[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:whitney@premiumnetworkrocks.valuead.com/
Expires : 12-31-2020 5:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@0[1].txt
Category : Data Miner
Comment : Hits:29
Value : Cookie:whitney@jseedcorn.cjt1.net/HTM/382/0
Expires : 3-22-2006 6:16:10 PM
LastSync : Hits:29
UseCount : 0
Hits : 29

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@casalemedia[2].txt
Category : Data Miner
Comment : Hits:25
Value : Cookie:whitney@casalemedia.com/
Expires : 3-13-2006 1:20:32 PM
LastSync : Hits:25
UseCount : 0
Hits : 25

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@maxserving[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:whitney@maxserving.com/
Expires : 3-20-2015 6:26:46 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@z1.adserver[1].txt
Category : Data Miner
Comment : Hits:24
Value : Cookie:whitney@z1.adserver.com/
Expires : 3-22-2006 6:27:42 PM
LastSync : Hits:24
UseCount : 0
Hits : 24

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@edge.ru4[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:whitney@edge.ru4.com/
Expires : 3-14-2035 11:56:20 AM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@realmedia[2].txt
Category : Data Miner
Comment : Hits:68
Value : Cookie:whitney@realmedia.com/
Expires : 12-31-2010 5:00:00 PM
LastSync : Hits:68
UseCount : 0
Hits : 68

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@~~local~~[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:whitney@~~local~~/
Expires : 3-23-2005 6:05:42 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@ads.addynamix[1].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:whitney@ads.addynamix.com/
Expires : 3-23-2005 6:10:34 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@revenue[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:whitney@revenue.net/
Expires : 6-9-2022 10:05:42 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@2o7[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:whitney@2o7.net/
Expires : 3-20-2010 12:23:54 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@adrevolver[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:whitney@media.adrevolver.com/adrevolver/
Expires : 12-12-2007 5:54:26 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@centrport[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:whitney@centrport.net/
Expires : 12-31-2029 5:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : whitney@trafficmp[1].txt
Category : Data Miner
Comment : Hits:61
Value : Cookie:whitney@trafficmp.com/
Expires : 3-22-2006 6:03:10 PM
LastSync : Hits:61
UseCount : 0
Hits : 61

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 15
Objects found so far: 15



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : File
Data : AutoUpdaterInstaller[1].exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Whitney\Local Settings\Temporary Internet Files\Content.IE5\812RC52B\



eUniverse Object Recognized!
Type : File
Data : Dc333.jpg
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-21-2025429265-1078145449-1957994488-1003\



ClickSpring Object Recognized!
Type : File
Data : Dc420.exe
Category : Malware
Comment :
Object : C:\RECYCLER\S-1-5-21-2025429265-1078145449-1957994488-1003\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
75 entries scanned.
New critical objects:0
Objects found so far: 18




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\DOCUME~1\Whitney\LOCALS~1\Temp\AutoUpdate0

PeopleOnPage Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\DOCUME~1\Whitney\LOCALS~1\Temp\Atf

PeopleOnPage Object Recognized!
Type : File
Data : setup.inf
Category : Data Miner
Comment :
Object : C:\DOCUME~1\Whitney\LOCALS~1\Temp\autoupdate0\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 21

2:48:25 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:52.91
Objects scanned:129784
Objects identified:21
Objects ignored:0
New critical objects:21
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » May 13th, 2005, 8:53 am

Hello, didn't forget you, just been tied up at the shop here. Oddly enough, I had a similar WinTools registry entry which didn't want to leave.

Let's have another go at the Recycle bin.

Start >>Run
cmd
Copy this line into command window:
del "C:\RECYCLER\S-1-5-21-2025429265-1078145449-1957994488-1003\*"

at the prompt (are you sure), type y then click Enter

This should empty the Recycle Bin.

Edit....might be a few folders left in there, so after doing the above, open command window again and copy
dir "C:\RECYCLER\S-1-5-21-2025429265-1078145449-1957994488-1003" > result.txt

then

result.txt notepad

Copy info from notepad file to your next post here please.
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby madmurph » May 13th, 2005, 12:45 pm

What? A life outside of MalWare? Yikes! No prob on the wait; I'm finding the whole undertaking rather intriguing esp. the cleverness of these buggers.

Ran your script in both normal and safe mode. Both resulted in "Access Denied." But then, no surprise there, eh?
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware