Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can not remove virus from registry

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can not remove virus from registry

Unread postby tomred » December 22nd, 2011, 8:26 am

Hi,

I have a virus that I cannot get rid of. It seems to have infected all the executable that start at startup. I have tried to remove the entries from the registry but after editing the registry then re-running regedit the entries are there again.

Below is the dss log. I have coloured the lines that is causing the problem. I have tried the spybot search & destroy bootable CD but this hasn't removed the problem.

Can anyone offer any advice that might help?
Thanks in advance.
Dermot

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_30
Run by rilari at 11:54:40 on 2011-12-22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2956 [GMT 0:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\rilari\Start Menu\Programs\Startup\procexp.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.euro.dell.com
uSearch Bar = hxxp://dellsearchedit.myway.com/samisc/ ... jhtml?p=EC
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\rilari\local settings\application data\qvlvqdnq\yydibgwh.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [YydIbgwh] c:\documents and settings\rilari\local settings\application data\qvlvqdnq\yydibgwh.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\rilari\start menu\programs\startup\procexp.exe
StartupFolder: c:\documents and settings\rilari\start menu\programs\startup\yydibgwh.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
Hosts: 127.0.0.1 http://www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rilari\application data\mozilla\firefox\profiles\ax473d8m.default\
FF - prefs.js: browser.startup.homepage - hxxp://sirius/login
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-12-22 10:56:47 90991 ----a-w- c:\windows\yydibgwh.exe
2011-12-22 10:56:47 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{09d1b27d-ee97-40c5-bbba-eba5b075671a}\offreg.dll
2011-12-22 10:30:44 194 ----a-w- c:\windows\spl_clean.bat
2011-12-21 18:24:47 -------- d-----w- c:\documents and settings\rilari\local settings\application data\qvlvqdnq
2011-12-21 17:56:09 -------- d-sh--r- C:\cmdcons
2011-12-21 17:56:07 -------- d-----w- c:\windows\setup.pss
2011-12-21 17:51:37 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-12-21 11:37:40 -------- d-----w- c:\windows\system32\PreInstall
2011-12-21 11:37:39 -------- d--h--w- c:\windows\$hf_mig$
2011-12-20 14:30:53 -------- d-----w- c:\documents and settings\rilari\local settings\application data\Apple Computer
2011-12-20 14:29:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-20 10:02:50 -------- d-----w- c:\documents and settings\rilari\.rbstrade
2011-12-20 10:00:03 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-12-20 09:50:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-20 09:50:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-16 16:13:06 -------- d-----w- c:\documents and settings\rilari\local settings\application data\Identities
2011-12-16 11:53:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-16 11:49:13 -------- d-----w- c:\program files\Spybot - Search & Destroy SBE
2011-12-16 11:49:13 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-12-15 16:17:42 319901 ------w- c:\program files\internet explorer\plugins\NPDocBox.dll
2011-12-15 16:17:42 103312 ------w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-15 16:17:42 -------- d-----w- c:\windows\system32\Adobe
2011-12-15 16:17:42 -------- d-----w- c:\windows\Profiles
2011-12-15 16:17:38 306688 ----a-w- c:\windows\IsUninst.exe
2011-12-15 14:03:35 -------- d-----w- c:\documents and settings\rilari\local settings\application data\Mozilla
2011-12-15 14:02:53 -------- d-----w- c:\documents and settings\rilari\application data\Pegasus Mail
2011-12-15 13:39:43 221700 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-15 13:39:43 221697 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-15 13:39:43 221663 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-15 13:39:43 221659 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-15 13:39:43 221625 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-15 13:39:43 221584 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-12-15 13:39:43 221534 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-15 13:39:36 1409 ----a-w- c:\windows\QTFont.for
2011-12-15 13:39:26 2321288 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-12-15 13:39:17 6823496 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{09d1b27d-ee97-40c5-bbba-eba5b075671a}\mpengine.dll
2011-12-15 13:38:22 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 13:37:52 -------- d-----w- c:\program files\PDFCreator
2011-12-15 13:09:21 -------- d-----w- c:\windows\ServicePackFiles
2011-12-15 13:09:16 294912 ------w- c:\program files\windows media player\dlimport.exe
2011-12-15 13:09:14 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-12-15 13:07:50 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-12-15 13:03:06 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-12-15 13:03:05 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-12-15 13:03:05 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2011-12-15 13:03:01 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2011-12-15 13:03:00 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2011-12-15 12:34:08 712976 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2011-12-15 12:33:22 -------- d-----w- C:\PMAIL
2011-12-15 12:15:44 -------- d-----w- c:\windows\ShellNew
2011-12-15 11:47:22 -------- d-----w- c:\program files\ATI Technologies
2011-12-15 11:47:05 307613 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-12-15 11:14:38 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-12-15 11:14:29 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-12-15 11:14:29 319834 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-12-15 11:14:29 270702 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-12-15 11:14:29 172553 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-12-15 11:14:29 127376 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-12-15 11:14:17 156160 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2011-12-15 11:14:17 156160 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2011-12-15 11:14:17 -------- d-----w- c:\program files\Broadcom
2011-12-15 11:13:26 -------- d-----w- C:\spl
2011-12-15 11:12:02 -------- d-s---w- c:\windows\system32\Microsoft
.
==================== Find3M ====================
.
.
============= FINISH: 11:55:24.35 ===============
tomred
Active Member
 
Posts: 2
Joined: December 22nd, 2011, 8:16 am
Advertisement
Register to Remove

Re: Can not remove virus from registry

Unread postby deltalima » December 22nd, 2011, 1:30 pm

Hi tomred,

Is this a home computer or do you use it for work?

Is there a reason that Internet Explorer has not been upgraded from version 6?
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Can not remove virus from registry

Unread postby tomred » December 22nd, 2011, 1:40 pm

Home, although I use it for work and it's attached to my ADSL router with another (old) PC which is where I am writing this from.

I never use IE so I never updated it.
Dp.
tomred
Active Member
 
Posts: 2
Joined: December 22nd, 2011, 8:16 am

Re: Can not remove virus from registry

Unread postby deltalima » December 22nd, 2011, 1:42 pm

I see you are posting for help for a "Business" computer.

May I draw your attention to THIS topic, which you should have read before posting for help.

The section Posting for help for business machines explains why we do not offer help for such computers.

This topic is now closed
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware