Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

log below for testaplus spyware problem ...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Linkmaster » February 20th, 2006, 9:01 pm

Copy/paste the following quote box into a new notepad (not wordpad) document.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
notepad %systemdrive%\regkey.txt

Save it to your Desktop as regkey.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name:regkey.bat

Locate regkey.bat on your Desktop and double-click it. When notepad opens, copy/paste the content here. DONT delete c:\regkey.txt, it's a backup
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA
Advertisement
Register to Remove

notepad says ...

Unread postby ccinmfd » February 21st, 2006, 12:07 am

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby Linkmaster » February 21st, 2006, 8:01 pm

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

(Echo %DATE% %TIME%
If exist empty.hiv del empty.hiv
If not Exist "original bho key.txt" Echo Backing up original BHO KEY & regedit /a "original bho key.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
IF exist "original bho key.txt" Echo Backup Created Successfully
Echo.....
Echo Creating HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty
echo.....
Echo Saving HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty
Reg Save HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty Empty.hiv
echo.....
Echo Deleting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty /f
echo.....
Echo Replacing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects with empty hive
reg restore "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" empty.hiv

)>logit.txt 2>&1

Start logit.txt

If exist empty.hiv del empty.hiv

Save it to your Desktop as fixkey.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name:fixkey.bat

Locate fixkey.bat on your Desktop and double-click it. Please post logit.txt
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Logit notepad post, as requested ...

Unread postby ccinmfd » February 21st, 2006, 9:03 pm

Tue 02/21/2006 20:00:22.18
Backing up original BHO KEY
Backup Created Successfully
....
Creating HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

The operation completed successfully
....
Saving HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

The operation completed successfully
....
Deleting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

The operation completed successfully
....
Replacing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects with empty hive

Error: Access is denied.
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby Linkmaster » February 22nd, 2006, 10:07 pm

Create a folder on the desktop called Import. You can do this by right clicking on an empty space on the Desktop, select New folder from the popup menu and name it Import. Don't run anything in Import folder till I tell you.

Copy/paste the following text into a new Notepad document. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


Save it in the new Import folder on your desktop as r.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: r.reg

The file must be called r.reg and has to be saved the Import folder to work.

Copy the following text to another new Notepad document. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.

'create a registry file named r.reg
'Put r.reg in the same folder as this script
'run the script to set a task which will
'then import r.reg with System Privileges in a minute

'Written by Mosaic1
'Use at your own risk

Dim Future, NewD ,Short,Location

set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")

NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)

Set Location = fso.GetFile("r.reg")
Short = Location.ShortPath

Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive regedit" & Chr(32) & Short ,vbhidden 'Set the task


MsgBox "Wait for Registry Confirmation." & vbcrlf & "This may take a minute." 'Alert the User

Set fso = nothing
Set Wshshell = nothing
Set Location = nothing

Save it in the new Import folder on your desktop as Import.vbs. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Import.vbs

Click Start then Run and type in services.msc and click Ok
Scroll down and double click on the service called Task Scheduler and set the Startup Type to Automatic if it isn't. Click Apply then click Ok.

Open the Import folder on your Desktop.
  • Watch the clock in your task bar.
  • When the minute turns over...
  • Double click Import.vbs
The application will appear to do nothing ... wait a minute and you should get a prompt asking you to merge the content of r.reg with the registry. Answer YES.

If your antivirus alerts you about the script, allow it to run. It is not malicious.

Reboot the PC and post a HijackThis log please
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

latest HiJackThis log file ...

Unread postby ccinmfd » February 25th, 2006, 12:04 pm

....

Logfile of HijackThis v1.99.1
Scan saved at 10:56:20 AM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby Linkmaster » February 25th, 2006, 12:15 pm

Well, that didn't work either!

Lets try another one :

Download and Install Registrar Registry Manager© by Resplendence Software Projects
Double click the Registrar Registry Manager icon on your desktop.
Copy the line below and paste it into the Address field (located at the top of the program) :

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Click the Go button.
On the right-hand side it will load all of your BHOs (you'll just see a bunch of numbers)
Locate the following entries: (be sure to match them EXACTLY)

{62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}
{6537283D-964A-CBD4-C67B-7091E7AC8979}
{EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}


Right click on each one separately and select Properties
Click the Permissions button and a new window will open.
Click the Advanced button
Place a checkmark next to the following:

'Inherit from parent the permission entries that apply to child objects...'

Click OK, OK again and rightclick on each of the following:

{62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}
{6537283D-964A-CBD4-C67B-7091E7AC8979}
{EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}


Choose Delete
Exit Registrar Registry Manager

Reboot and post a fresh HijackThis log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

access denied ...

Unread postby ccinmfd » February 25th, 2006, 3:58 pm

OK ... I got to the stage where I right-clicked on the first of the three objects, which I found in the folder you pointed to, but I was denied access to "properties" with the error message:

5. Access is denied

if it's any help, inside the folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

... is found the three objects and an "AB (default)" file that is a "REG_SZ" type ...

... that's as far I got ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby Linkmaster » February 26th, 2006, 9:57 am

OK, We tried !! Stubborn buggers !!

OK, we have another Method here (Thanks to Mosaic and Kimberly), so lets try it :

You may wish to print out a copy of these instructions to follow while you complete this procedure

Create a folder on the desktop called Import (Right click on an empty space on the Desktop, select New folder from the popup menu and name it Import)
Do Not run anything in Import folder till I tell you

Copy and Paste the text from the following Quote box into a new Notepad document. Make sure that wordwrap is turned off in notepad (Click Format at the top and uncheck wordwrap)

(Echo %DATE% %TIME%
If exist empty.hiv del empty.hiv
If not Exist "original bho key.txt" Echo Backing up original BHO KEY & regedit /a "original bho key.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
IF exist "original bho key.txt" Echo Backup Created Successfully
Echo.....
Echo Creating HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty
echo.....
Echo Saving HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty
Reg Save HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty Empty.hiv
echo.....
Echo Deleting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty /f
echo.....
Echo Replacing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects with empty hive
reg restore "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" empty.hiv

)>logit.txt 2>&1

If exist empty.hiv del empty.hiv


Save it in the new Import folder on your desktop as r.bat. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: r.bat
The file must be called r.bat and has to be saved the Import folder to work

Copy and Paste the text from the following Quote box into a new Notepad document. Make sure that wordwrap is turned off in notepad (Click Format at the top and uncheck wordwrap)

'create a file named r.bat
'Put r.bat in the same folder as this script
'run the script to set a task which will
'then run r.bat with System Privileges in a minute

'Written by Mosaic1
'Use at your own risk

Dim Future, NewD ,Short,Location ,batty

set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")


NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)

Set Location = fso.GetFile("r.bat")
Short = Location.ShortPath

Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive" & Chr(32) & Short ,vbhidden 'Set the task


MsgBox " Setup Done!"

Set fso = nothing
Set Wshshell = nothing
Set Location = nothing


Save it in the new Import folder on your desktop as Importbat.vbs. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Importbat.vbs

Click Start, Run and type in services.msc and click Ok
Scroll down and double click on the service called Task Scheduler and set the Startup Type to Automatic if it isn't
Click Apply then click Ok.

Open the Import folder on your Desktop.
*Watch the clock in your task bar.
*When the minute turns over...
*Double click Importbat.vbs
The application will appear to do nothing ... wait a minute and you should get a prompt.

If your antivirus alerts you about the script, allow it to run. It is not malicious.

Please post the content of logit.txt, located in the Import folder, here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

logit file ...

Unread postby ccinmfd » February 26th, 2006, 2:00 pm

Sun 02/26/2006 12:26:42.15
Backing up original BHO KEY
Backup Created Successfully
....
Creating HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

The operation completed successfully
....
Saving HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

The operation completed successfully
....
Deleting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\empty

The operation completed successfully
....
Replacing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects with empty hive

Error: Access is denied.
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby Linkmaster » February 26th, 2006, 9:09 pm

Delete the r.bat file in the Import folder, we are going to create another !!

Copy and Paste the text from the following Quote box into a new Notepad document. Make sure that wordwrap is turned off in notepad (Click Format at the top and uncheck wordwrap)

(Echo %DATE% %TIME%
Echo Deleting {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}" /f
echo.....
Echo Deleting {6537283D-964A-CBD4-C67B-7091E7AC8979}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6537283D-964A-CBD4-C67B-7091E7AC8979}" /f
echo.....
Echo Deleting {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}" /f
echo.....
)>logit.txt 2>&1


Save it in the new Import folder on your desktop as r.bat. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: r.bat
The file must be called r.bat and has to be saved the Import folder to work

Click Start then Run and type in services.msc and click Ok
Scroll down and double click on the service called Task Scheduler and set the Startup Type to Automatic if it isn't. Click Apply then click Ok.

Open the Import folder on your Desktop.
  • Watch the clock in your task bar.
  • When the minute turns over...
  • Double click Importbat.vbs
The application will appear to do nothing ... wait a minute and you should get a prompt.

If your antivirus alerts you about the script, allow it to run. It is not malicious.

Please post the content of logit.txt located in the Import folder
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

... not running it correctly ...

Unread postby ccinmfd » February 27th, 2006, 12:55 am

... the fix hasn't worked liked the instructions yet ...

... I do all the steps, but no logit comes up unless I double-click the r.bat file, which I was not instructed to do but I did anyways after very little happened after I double-clicked the importbat.vbs file ... after double-clicking the importbat.vbs file, a small window comes up almost immediately and says, "Setup done" .... and I can wait 10 minutes and nothing else happens ...

... so, I double-clicked the r.bat file and the following logit file appeared in the Import folder:

Sun 02/26/2006 23:48:47.45
Deleting {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}

Error: Access is denied.
....
Deleting {6537283D-964A-CBD4-C67B-7091E7AC8979}

Error: Access is denied.
....
Deleting {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}

Error: Access is denied.
....

I must be doing something incorrectly ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby Linkmaster » February 27th, 2006, 7:50 am

Thats Ok, lets try again with a slight modification :

Delete the r.bat file ONLY in the Import folder and empty your Recycle Bin

Copy/paste the following text into a new Notepad document. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.

(Echo %DATE% %TIME%
Echo Deleting {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}" /f
echo.....
Echo Deleting {6537283D-964A-CBD4-C67B-7091E7AC8979}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6537283D-964A-CBD4-C67B-7091E7AC8979}" /f
echo.....
Echo Deleting {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}" /f
echo.....
)>logit.txt 2>&1
start logit.txt


Save it in the new Import folder on your desktop as r.bat. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: r.bat

The file must be called r.bat and has to be saved the Import folder to work.

Open the Import folder on your Desktop.
  • Watch the clock in your task bar.
  • When the minute turns over...
  • Double click Importbat.vbs
You will get a prompt "Setup Done". The application will appear to do nothing ... wait a minute and logit.txt should open in Notepad.

If your antivirus alerts you about the script, allow it to run. It is not malicious.

Please post the content of logit.txt. If logit.txt does not open after 2 minutes, go into the Import folder and open logit.txt yourself.
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

results below ...

Unread postby ccinmfd » February 27th, 2006, 10:30 am

.... not what we wanted ... but at least this time the logit file did come up on its own ...

Mon 02/27/2006 9:21:00.43
Deleting {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A}

Error: Access is denied.
....
Deleting {6537283D-964A-CBD4-C67B-7091E7AC8979}

Error: Access is denied.
....
Deleting {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690}

Error: Access is denied.
....

... and not sure if this makes a difference, but when saving as a notepad file, there are four "encoding" choices in the "save as" window that include:
ANSI, Unicode, Unicode bid endian, and UTF-8 .... the default setting seems to be ANSI ... should I be saving as another encoding choice?? ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

... correction ...

Unread postby ccinmfd » February 27th, 2006, 10:31 am

... Unicode big endian ...
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware