Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Adware.Trymedia.B.2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Shaenaus » August 17th, 2006, 8:26 pm

Thanks for your patience, Navigator. I will do as you suggest when I return from another business trip that I am on. I will post the result Tuesday next.

Shane.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm
Advertisement
Register to Remove

Unread postby Navigator » August 17th, 2006, 8:28 pm

No problem Shane....

I've actually been discussing your problem with some other experts...none have seen something exactly like this, but we are coming up with some options and ideas.

Just post the log when you return and we'll go from there..have a good trip!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 22nd, 2006, 4:31 am

Gday Navigator,

Here is the WinPFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 12/06/2005 3:21:20 AM 280829212 C:\Program Files\battlefield_1942_patch_v1.6.19.exe
FSG! 12/06/2005 3:21:20 AM 280829212 C:\Program Files\battlefield_1942_patch_v1.6.19.exe
UPX! 20/08/2005 4:18:58 PM 724030272 C:\Program Files\bf1942_1.mdf
FSG! 20/08/2005 4:18:58 PM 724030272 C:\Program Files\bf1942_1.mdf
PEC2 20/08/2005 4:18:58 PM 724030272 C:\Program Files\bf1942_1.mdf
UPX! 20/08/2005 4:27:08 PM 508876368 C:\Program Files\BF1942_2.mdf
FSG! 20/08/2005 4:27:08 PM 508876368 C:\Program Files\BF1942_2.mdf
UPX! 27/10/2005 6:48:00 AM 5126656 C:\Program Files\trial_setup.msi

Checking %WinDir% folder...
PEC2 6/05/2006 12:01:48 PM 20992 C:\WINDOWS\igBrowse.exe
PECompact2 6/05/2006 12:01:48 PM 20992 C:\WINDOWS\igBrowse.exe
PEC2 6/05/2006 8:44:32 AM 18432 C:\WINDOWS\igUninst.exe
PECompact2 6/05/2006 8:44:32 AM 18432 C:\WINDOWS\igUninst.exe
PEC2 19/05/2006 11:43:14 AM 82944 C:\WINDOWS\npigl.dll
PECompact2 19/05/2006 11:43:14 AM 82944 C:\WINDOWS\npigl.dll

Checking %System% folder...
UPX! 2/09/2004 12:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
aspack 26/05/2005 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
PEC2 31/03/2003 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 19/06/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/08/2006 11:22:50 AM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/08/2006 11:22:50 AM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/08/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/08/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 19/12/2004 11:00:00 PM 111104 C:\WINDOWS\SYSTEM32\uharc.exe
winsync 31/03/2003 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 19/06/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 3/08/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
22/08/2006 1:08:00 PM S 2048 C:\WINDOWS\bootstat.dat
21/08/2006 9:38:02 PM H 54156 C:\WINDOWS\QTFont.qfn
10/08/2006 10:07:44 PM HS 7680 C:\WINDOWS\Thumbs.db
12/07/2006 9:17:02 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
12/07/2006 9:17:02 PM RH 0 C:\WINDOWS\assembly\pubpol17.dat
13/07/2006 1:24:10 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index29.dat
13/07/2006 1:24:10 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index2a.dat
7/07/2006 5:03:30 PM S 10690 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914440.cat
5/07/2006 10:21:58 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917422.cat
28/07/2006 10:16:08 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat
28/07/2006 12:00:28 AM S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat
21/07/2006 7:03:14 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat
27/06/2006 5:47:22 AM S 11929 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920683.cat
14/07/2006 12:24:46 AM S 13050 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat
15/07/2006 2:13:00 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat
15/07/2006 1:53:20 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat
22/08/2006 1:08:08 PM H 16384 C:\WINDOWS\system32\config\default.LOG
22/08/2006 1:08:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
22/08/2006 1:08:02 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
22/08/2006 1:08:58 PM H 94208 C:\WINDOWS\system32\config\software.LOG
22/08/2006 1:08:10 PM H 1085440 C:\WINDOWS\system32\config\system.LOG
11/08/2006 7:04:02 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
14/07/2006 4:36:56 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c1c0e2cd-7aed-473b-abee-a8c6af13206e
14/07/2006 4:36:56 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
15/07/2006 6:06:26 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\84585aad-c7b1-424a-977c-fad125ad0c1f
15/07/2006 6:06:26 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
22/08/2006 1:11:30 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
22/08/2006 1:06:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT
5/08/2006 4:35:08 PM H 1024 C:\WINDOWS\Temp\SST5A.tmp.LOG
25/06/2006 1:05:48 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
25/06/2006 1:05:48 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0MMU70I9\desktop.ini
25/06/2006 1:05:48 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\F5WWBORW\desktop.ini
25/06/2006 1:05:48 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KPMJSX2B\desktop.ini
25/06/2006 1:05:48 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RCEYODT6\desktop.ini

Checking for CPL files...
25/05/2004 4:06:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 28/07/2003 3:19:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/08/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 31/03/2003 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
13/06/2006 5:51:48 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
15/04/2006 12:23:02 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
15/04/2006 9:50:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/08/2006 4:36:38 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
15/04/2006 12:23:02 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
16/04/2006 9:24:18 PM 879 C:\Documents and Settings\Administrator\Application Data\AdobeDLM.log
15/04/2006 9:50:14 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
16/04/2006 9:24:18 PM 0 C:\Documents and Settings\Administrator\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\MagicISO
{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{D653647D-D607-4df6-A5B8-48D2BA195F7B}
= C:\Program Files\Softwin\BitDefender9\bdshelxt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MagicISO
{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D653647D-D607-4df6-A5B8-48D2BA195F7B}
= C:\Program Files\Softwin\BitDefender9\bdshelxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\MagicISO
{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
= "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}
MenuText = @xpsp3res.dll,-20001 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
InCD "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
BDMCon C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
PWRISOVM.EXE "C:\Program Files\PowerISO\PWRISOVM.EXE"
BDNewsAgent "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
BDSwitchAgent "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
THGuard "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
NvMediaCenter "RUNDLL32.EXE" C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
SpybotSD TeaTimer "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveAutoRun 768


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 22/08/2006 5:49:08 PM
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 22nd, 2006, 4:35 pm

Hello shaneaus...I am going through your WinPFind log with a fine tooth comb...at first glance however I do not see too much. I am also going to get another set of eyes on it if I can.

In the meantime, can you do this:

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. Log into your usual account

2. Once in safe mode, please Clean Temporary Files:

  • Go to Start » Run » type: cleanmgr » OK.
  • Choose (C: ) and then click OK.
  • Make sure these are the only ones that are checked :

    • Temporary Internet Files
    • Temporary Files
    • Recycle Bin
  • Click OK to remove them.
  • Click Yes to confirm the deletion.

3. Repeat the Ewido scan as per the last time you ran it.

4. Reboot into normal mode and run this scan:

Download and Save Blacklight to your desktop:

  • Doubleclick on blbeta.exe.
  • Click on Scan.
  • Once the Scan is Finished, click on Next.
  • Click on Exit.
  • A new document will be produced on the desktop.
  • Open this document with Notepad.
  • Copy and Paste its contents in a reply.


Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

5. Post back with the Ewido scan results and the Blacklight results.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 22nd, 2006, 11:08 pm

I have been doing all the tests, etc, logged in as Administrator.

The problem with Adware seems to be mainly in one particular user account.

Should I do the tests, etc, logged into that account or is it OK to still do everything logged into the Administrator account?
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 22nd, 2006, 11:16 pm

You should log into your USUAL account in safe mode.....

The administrator account in safe mode is established by WindowsXP at installation by default...while it can be useful, the fixes are best run from your usual account (sorry, I should have been more explicit...).
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Navigator » August 22nd, 2006, 11:18 pm

Sorry, I need to add something to my last post...

Assuming that your usual account has ADMINISTRATOR privileges (different from the account NAMED administrator in safe mode)..

Does this make sense?
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 23rd, 2006, 12:16 am

I have been doing all the tests, etc, from within the Administrator account (CRTL-ALT-DEL twice to log into that account).

The problems have been occuring mainly in my son's user account which has administrator privileges.

Which one should I run the scans from?
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 23rd, 2006, 3:58 pm

Running the scans from a certain account usually doesn't matter (although for some scans it does, so using the involved account is preferred), but the cleaning out of the temp files needs to be done in the involved account (and preferably all accounts).

After you are clean you should probably reconsider having your son's account maintaining administrator privileges unless you implicitly trust him determining what is OK or not to install on your computer. As a matter of fact, some security experts recommend that if possible, anyone surfing the net do so from a 'limited' account as that level of account will not allow some malware programs to install due to not having permission to do so (more on this later..I will give you references that address this issue).

Let's do the following temp file cleaning instructions in ALL involved accounts on your computer, and do them in safe mode:

Clean Temporary Files

  • Go to Start » Run » type: cleanmgr » OK.
  • Choose (C: ) and then click OK.
  • Make sure these are the only ones that are checked :

    • Temporary Internet Files
    • Temporary Files
    • Recycle Bin
  • Click OK to remove them.
  • Click Yes to confirm the deletion.


Then, run Ewido again, still in safe mode as we did previously.

After running Ewido, reboot normally into Windows and see if you are still having the problem with BitDefender finding the infected .tmp files. If you are still having this problem, run the Blacklight scan I asked for earlier.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 23rd, 2006, 8:40 pm

Gday Navigator,

When I boot into Safe Mode, there are only three accounts displayed when normally there would be three more. ie. There is "Administrator", plus two others. The missing accounts include my son's which is having all the trouble with Adware.Trymedia.B.2

If I go to Control Panel whilst in Safe Mode and then go to User Accounts, there are still three user accounts missing.

Any ideas?

Thanks,
Shane.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Shaenaus » August 23rd, 2006, 9:22 pm

Disregard my last post. I figured it out.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 23rd, 2006, 9:23 pm

Hello shane...

Are you sure your son's account has administrator privileges?

Only those accounts with administrator privileges can log in in safe mode:

http://support.microsoft.com/default.as ... -us;292742

I'm not sure why if his account has administrator privileges it would not be listed in safe mode, but I'll keep looking for an answer.

For now, I would clean out the temp files in normal mode for the three accounts not listed in safe mode, then clean out the temp files in safe mode for the two 'named' accounts and run Ewido in safe mode.

After rebooting back into normal windows after doing the above, run the Blacklight scan as I listed and post back with the Ewido log and the Blacklight log.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Navigator » August 23rd, 2006, 9:24 pm

Shaenaus wrote:Disregard my last post. I figured it out.


Good!! :D
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 24th, 2006, 12:25 am

My son's account had administrator privileges but when he downloaded the demo game which caused us grief with the Adware, I changed it to a limited account which is why it wasn't showing up in Safe Mode.

What I have done is change every account to have administrator privileges whilst I am running the scans and then when we have gotten rid of the Adware I will change everyone's account (except mine) back to limited accounts if that's OK.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 24th, 2006, 9:18 am

That's fine shane... :D
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 323 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware