Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spybot is unable to fix 27 problems...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Navigator » July 9th, 2006, 9:00 pm

Hello rbanything...

I need to check something about those Spybot entries, and I'll get back to you on that....I need to find out if those entries are in the restricted zone (W=4) or does that notation mean they are NOT in the restricted zone like they should be...

In the meantime, you can delete these files/folders to take care of the results of the PandaScan:

c:\windows\keyboard191.dat <==this file
c:\program files\EQAdvice <==this folder


2 questions:

1. You still haven't told me if you are having any particular problems with your computer or if the only thing you are concerned about is the Spybot results themselves...this helps me figure out what is going on!

2. Have you installed IE-SPYAD or other restricted-sites software?

Thanks, I'll be back...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

IE-SPYAD I may have without knowing that I installed it.....

Unread postby rbanything » July 9th, 2006, 10:11 pm

I believe that I was fooled into installing something malicious when I tried to search for a way to remove cool WWW search. I did a search on google.com for a way to remove cool WW W. search. I tried to download CW shredder and nothing happened when I hit run. I believe that I unknowingly installed more spy ware.

After I tried to fix by following the instructions that I found from the search, I ran another spy bot scan and and 27 entries then showed up. Before, spy bot did not isolate the cool WW W. search. I only saw cool WW W search files showing up as the scan was running in spy bot. That is the reason that I tried to remove it in the first place; I had seen cool www search showing up along the bottom of my screen during the scan with spy bot.
My homepage changed on me on its own probably about three or four times. One time when I was trying to access my pictures on sprint.com, I was totally blocked. I typed in the correct web address and hit go on over and over. Some search page kept popping up. This has not happened to me in at least 10 days or so. I was only blocked on that one occasion.[/img]
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

Unread postby Navigator » July 9th, 2006, 10:27 pm

I'm waiting on an answer from another expert about your Spybot entries...

I'll get back to you when I get an answer, hopefully soon but it may be tomorrow...

Those Spybot entries are not malicious in and of themselves since they are registry keys describing sites in different 'zones' (i.e. restricted etc)..they are not evidence of a current infection with anything but I need to get some info on exactly what they mean before we proceed.

Thanks for your patience...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Navigator » July 10th, 2006, 12:00 am

Hello rbanything....I need you to do something for me:

Please save the following text in the quote box below to Notepad:
regedit /e peek.txt "HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestcounter.biz"

notepad peek.txt


Save the file as type all files, and save it to your desktop as peek.bat.

Go to your desktop and double-click peek.bat which will produce a notepad text file.

Copy and paste the contents of the the text file here for me to review...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

it will not open

Unread postby rbanything » July 10th, 2006, 12:12 am

I did what you said...............It tries to open, but it just flashes.........it flashes but will not stay on the screen............
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

Re: it will not open

Unread postby Navigator » July 10th, 2006, 7:47 am

rbanything wrote:I did what you said...............It tries to open, but it just flashes.........it flashes but will not stay on the screen............


Hmmm...it should produce a notepad file that stays open. Did you look on the desktop for a newly created notepad file called peek.txt?

The other possible problem may be that the text you copied into notepad did not copy correctly to make the batch file run..I'm repeating the instructions:

1. Please save the following text in the quote box below to Notepad:
regedit /e peek.txt "HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestcounter.biz"

notepad peek.txt


Save the file as type all files, and save it to your desktop as peek.bat.

Go to your desktop and double-click peek.bat which will produce a notepad text file.

Before saving the file in notepad, click the edit tab up top and make sure Word wrap is unchecked...the file needs to be saved with the command and registry key on the same line like above, i.e, this below will NOT work:
regedit /e peek.txt
"HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestcounter.biz"

notepad peek.txt


Please try this again...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

I did this.

Unread postby rbanything » July 10th, 2006, 9:00 am

I saved in Notepad, but there was no option to save as all files. I saved it as an RTF file.
I believe that I saved it correctly because a shortcut with an icon was created on my desktop as peek.bat. :cry: That part worked.
When I try to open it by selecting open or double-clicking the icon on my desktop it tries to open. I see a small window with a black background and text appearing quickly and disappearing. The window flashes as if it's being blocked. It's just as if there is a pop-up blocker against this window.
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

This is what happens when I click edit.

Unread postby rbanything » July 10th, 2006, 9:06 am

I cannot open it but I can click edit and this appears:


{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\sb100\sa100\f0\fs24 regedit /e peek.txt \line "HKEY_USERS\\S-1-5-21-2995775916-592914421-636505945-1005\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bestcounter.biz" \line\line notepad peek.txt\par
\pard\f1\fs20\par
}
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

I took a screenshot and very quickly and saved it.

Unread postby rbanything » July 10th, 2006, 2:46 pm

May I send you this screenshot that I saved with word?

I captured the screen shot during an ad ware SE scan. When I double clicked on the shortcut that I created on my desktop for peek.bat, I managed to quickly take a snapshot of the screen
because my system was running slower due to the scan. The window still wouldn't stay on the screen, but I managed to capture it when it flashed.

It says can not find the path specified.
It has about 13 lines. I want to send this to you as an attachment somehow so that you can see for yourself what it says.
It has a black background with white writing. I believe it says not recognized as an internal or external command. And then it says something about a batch file.
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

Okay scratch all that. I now saved it with notepad instead

Unread postby rbanything » July 10th, 2006, 3:07 pm

I went back and saved to notepad. I was previously trying to save peek.bat with WordPad.

How do I paste the results? The screen that I create with the peek.bat notepad shortcut that I put on my desktop(the one with the black background)-- I can not copy and paste it????

How do I send you attachments? If I can send you attachments, I can let you see what my screen is displaying with snapshots.[/img]
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

Okay I have it now

Unread postby rbanything » July 10th, 2006, 3:20 pm

Here it is--- peek.bat

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestcounter.biz]
"http"=dword:00000004
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

Unread postby Navigator » July 10th, 2006, 7:53 pm

rbanything....

What that registry key tells me is that bestcounter.biz has been placed in the restricted zone for the 'http' protocol, but not for 'all' protocols which Spybot apparently wants. It's possible that you downloaded some other restricted-site protocol program (like IE-SPYAD) which changed Spybot's zone/protocol designation for these sites that it has flagged as 'problems'.

In short, these entries are NOT indicative of the presence of malware on your system.

It has been suggested to me that what we should do to try and resolve these 'problems' from Spybot is for you to:

1. Update Spybot with the latest update
2. Re-immunize your system with the Spybot immunize function after the update (here is a tutorial on Spybot for reference if needed).
3. Rescan with Spybot and see if these 'problems' are still flagged or present.

Give this a shot and tell me what happens....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

I had 27 entries and now I have 20 entries.........

Unread postby rbanything » July 10th, 2006, 8:43 pm

--- Report generated: 2006-07-10 20:35 ---

CoolWWWSearch.BadZoneMap: Settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestcounter.biz\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com\*!=W=4

CoolWWWSearch.Leftovers: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4

CoolWWWSearch.Mupdate: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4

CoolWWWSearch.Toolband: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4

CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\offshoreclicks.com\*!=W=4

ABetterInternet: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com\*!=W=4

NeedEdware: Settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\neededware.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fuck-fuck.org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\t34rulit.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\toprefsys.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\visitfriend.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webpidor.biz\*!=W=4


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-06-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-07-07 Includes\Cookies.sbi (*)
2006-07-07 Includes\Dialer.sbi (*)
2006-07-07 Includes\Hijackers.sbi (*)
2006-07-07 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-07-07 Includes\Malware.sbi (*)
2006-07-07 Includes\PUPS.sbi (*)
2006-07-07 Includes\Revision.sbi (*)
2006-07-07 Includes\Security.sbi (*)
2006-07-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-07-07 Includes\Trojans.sbi (*)
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee

Unread postby Navigator » July 10th, 2006, 9:07 pm

Ok, the next thing to try to fix the 'problem' is this...let's 'reset' your restricted zone entries:

1. RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will just clear all sites in the domains and Ranges keys..it doesn't really 'install'.

2. Re-immunize the system with Spybot after using DelDomains.

3. Re-scan with Spybot and see if this resolves the issue.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

that worked.....thanks...all gone......

Unread postby rbanything » July 10th, 2006, 11:04 pm

I STILL SEE COOLWWWSEARCH AND MANY OTHER FILES LIKE GAIN GATOR when I am running the scan along the bottom of the screen........IS THERE ANY WAY TO GET RID OF THOSE FILES, so that spybot doesnt even have to scan them........???



--- Report generated: 2006-07-10 22:59 ---

WildTangent: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2995775916-592914421-636505945-1007\Software\WildTangent


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-06-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-07-07 Includes\Cookies.sbi (*)
2006-07-07 Includes\Dialer.sbi (*)
2006-07-07 Includes\Hijackers.sbi (*)
2006-07-07 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-07-07 Includes\Malware.sbi (*)
2006-07-07 Includes\PUPS.sbi (*)
2006-07-07 Includes\Revision.sbi (*)
2006-07-07 Includes\Security.sbi (*)
2006-07-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-07-07 Includes\Trojans.sbi (*)
rbanything
Regular Member
 
Posts: 20
Joined: July 3rd, 2006, 2:09 pm
Location: East Tennessee
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 354 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware