Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Can't remove Adware / Spyware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Unread postby askey127 » August 28th, 2005, 7:02 pm

matrix,

Don't even think of it.
If you already did it, tell me.
I'm working on what's next.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top
Advertisement
Register to Remove

Unread postby matrix » August 28th, 2005, 7:38 pm

No, I didn't do it ...
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm
Top

Unread postby askey127 » August 28th, 2005, 8:46 pm

matrix,
I am assuming that (1) neither of the last two logs show the
Reg key with the empty CLSID's, AND (2) Both logs show no new files in C:\Windows\system32\.
I can't tell for sure about the second log, since it was cut off.

If the above is true, proceed like this- Print this out, because you cannot access it in SAFE mode. Also, you should not have another file open file while ewido is running.
-----------------------------------------------------------
Download WinPFind from here: http://www.bleepingcomputer.com/files/winpfind.php and extract it to your C:\ folder.
This will create a folder called WinPFind in the C:\ folder.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work.
Extra instructions are here if you need them.
-----------------------------------------------------------
Close all open windows/programs/folders. Have NOTHING else open while ewido performs its scan!
If you open explorer or control panel while running, re-infections will occur.
Now Run Ewido
* Click on scanner
* Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification.
NOTE: We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I will let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
* Click Save report
* Save the report to your desktop
* Exit ewido
STAY IN SAFE MODE.
-----------------------------------------------------------
Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program.
Once it is launched, click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns,
so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan.
It saves a file called WinPFind.txt in the originating folder.

After you reboot,
Paste the contents of the log into your reply with the Ewido log

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Unread postby matrix » August 29th, 2005, 1:31 am

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:00:12 AM, 8/29/2005
+ Report-Checksum: 125405FF

+ Scan result:

C:\Documents and Settings\John Doe\Cookies\john doe@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\John Doe\Cookies\john doe@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup


::Report End




WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/4/2005 10:01:28 AM 597716 C:\WINDOWS\del.tmp
UPX! 4/13/2005 1:19:36 AM 1036800 C:\WINDOWS\vsapi32.dll
aspack 4/13/2005 1:19:36 AM 1036800 C:\WINDOWS\vsapi32.dll
Umonitor 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx
ZepMon 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx
ad-w-a-r-e.com 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx

Checking %System% folder...
SAHAgent 8/1/2005 11:57:08 PM 35 C:\WINDOWS\SYSTEM32\0acihjvk.ini
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 8/29/2002 6:00:00 AM 6989 C:\WINDOWS\SYSTEM32\py.exe
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 8/25/2005 12:24:42 PM 3092 C:\WINDOWS\SYSTEM32\sdugmv52.ini
UPX! 1/20/2005 1:47:50 PM 175616 C:\WINDOWS\SYSTEM32\strings.exe
SAHAgent 8/1/2005 11:57:04 PM 35 C:\WINDOWS\SYSTEM32\tg4dpdl4.ini
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/28/2005 11:29:52 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
8/27/2005 9:18:48 PM S 64 C:\WINDOWS\CSC\00000001
8/27/2005 9:02:26 PM S 64 C:\WINDOWS\CSC\00000002
8/28/2005 6:27:42 PM H 0 C:\WINDOWS\INF\oem10.inf
8/28/2005 8:31:56 PM RHS 305145 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_18.cab
8/28/2005 8:36:16 PM RHS 68327 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_19.cab
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
6/30/2005 9:06:34 AM S 11437 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
6/30/2005 1:42:18 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
6/30/2005 2:21:10 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
6/30/2005 8:46:18 AM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
8/28/2005 11:29:42 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
8/28/2005 11:30:12 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
8/28/2005 11:29:54 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
8/28/2005 11:34:26 PM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
8/28/2005 11:30:00 PM H 991232 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
8/28/2005 7:18:40 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
8/23/2005 12:22:22 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\46ab6185-6843-4598-9f5d-b7a31a1bb56c
8/23/2005 12:22:22 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
8/28/2005 10:51:14 PM HS 210 C:\WINDOWS\Tasks\RUTASK.job
8/28/2005 11:29:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 1/3/2003 12:43:28 PM 798720 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 12:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 6:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 10:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 4/9/2003 11:13:02 PM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\DLLCACHE\nwc.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2003 5:15:02 PM 910 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
5/16/2005 7:35:38 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 2:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 2:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 2:36:04 PM HS 84 C:\Documents and Settings\John Doe\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
5/16/2005 7:32:30 AM 1558 C:\Documents and Settings\John Doe\Application Data\AdobeDLM.log
9/3/2002 2:26:20 PM HS 62 C:\Documents and Settings\John Doe\Application Data\DESKTOP.INI
5/16/2005 7:32:30 AM 0 C:\Documents and Settings\John Doe\Application Data\dm.ini
8/25/2005 11:36:16 AM H 79713 C:\Documents and Settings\John Doe\Application Data\ptads.bin
8/25/2005 12:35:02 PM 98 C:\Documents and Settings\John Doe\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gyxqnqkq
{861392c9-a929-4bb1-826c-069ab69e8f4b} = C:\WINDOWS\System32\daabn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = C:\Program Files\Google\GoogleToolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : C:\Program Files\Google\GoogleToolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\DateBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : C:\Program Files\Google\GoogleToolbar1.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe
<HTML> <HEAD> <TITLE>HTTP Proxy Report</TITLE> </HEAD> <BODY bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"> <table width=100% cellpadding=4 cellspacing=0> <tr bgcolor="#7FBA00" valign=bottom> <td valign=bottom><center> <font face="tahoma, arial" size=+2 color="white"> <b>HTTP Proxy Report</b> </font> </td> </tr> <tr bgcolor="#F5F8DF"> <td valign=bottom><center> <font face="tahoma, arial" color="darkblue"> <b>The proxy server has encountered a c:\WINDOWS\System32\<HTML> <HEAD> <TITLE>HTTP Proxy Report</TITLE> </HEAD> <BODY bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"> <table width=100% cellpadding=4 cellspacing=0> <tr bgcolor="#7FBA00" valign=bottom> <td valign=bottom><center> <font face="tahoma, arial" size=+2 color="white"> <b>HTTP Proxy Report</b> </font> </td> </tr> <tr bgcolor="#F5F8DF"> <td valign=bottom><center> <font face="tahoma, arial" color="darkblue"> <b>The proxy server has encountered an er
function redirec c:\WINDOWS\System32\function redirect(){
var strT c:\WINDOWS\System32\var strTemp;
var strP c:\WINDOWS\System32\var strPort;
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Winzip Archiver Winzip32.exe
top.location.replace(strTe c:\WINDOWS\System32\top.location.replace(strTemp);
<a href="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com< c:\WINDOWS\System32\<a href="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com</a>.
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
ps3h3qP ntpace.exe
vptray C:\Program Files\NavNT\vptray.exe
ATIModeChange Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<HTML> <HEAD> <TITLE>HTTP Proxy Report</TITLE> </HEAD> <BODY bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"> <table width=100% cellpadding=4 cellspacing=0> <tr bgcolor="#7FBA00" valign=bottom> <td valign=bottom><center> <font face="tahoma, arial" size=+2 color="white"> <b>HTTP Proxy Report</b> </font> </td> </tr> <tr bgcolor="#F5F8DF"> <td valign=bottom><center> <font face="tahoma, arial" color="darkblue"> <b>The proxy server has encountered a c:\WINDOWS\System32\<HTML> <HEAD> <TITLE>HTTP Proxy Report</TITLE> </HEAD> <BODY bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"> <table width=100% cellpadding=4 cellspacing=0> <tr bgcolor="#7FBA00" valign=bottom> <td valign=bottom><center> <font face="tahoma, arial" size=+2 color="white"> <b>HTTP Proxy Report</b> </font> </td> </tr> <tr bgcolor="#F5F8DF"> <td valign=bottom><center> <font face="tahoma, arial" color="darkblue"> <b>The proxy server has encountered an er
function redirec c:\WINDOWS\System32\function redirect(){
var strT c:\WINDOWS\System32\var strTemp;
var strP c:\WINDOWS\System32\var strPort;
top.location.replace(strTe c:\WINDOWS\System32\top.location.replace(strTemp);
<a href="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com< c:\WINDOWS\System32\<a href="http://landing.domainsponsor.com/?a_id=761&domainname=beneditutti.com&adultfilter=off">Click here to go to beneditutti.com</a>.
Wdik C:\WINDOWS\System32\?hkdsk.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoWindowsUpdate 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
junpxco C:\WINDOWS\System32\junpxco.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoWindowsUpdate 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate
DisableWindowsUpdateAccess 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/29/2005 1:10:30 AM
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm
Top

Unread postby askey127 » August 29th, 2005, 10:54 am

matrix,
I've noticed that you've concurrently posted your log in, and are getting help in another forum.
This seems to have compounded the cleanup for us here.
What we need to do is stick with one forum, where we can focus and monitor the steps and results of the cleanup.
We do, as a community, support each other and the associated forums, but generally don't overlap the cleanup work by having a victims log worked on multiple forums; there are just too many other victims out there that need our attention.
If you would like to continue the cleanup here, please inform the helper(s) at the other forum(s) that you are currently getting help here and let me know.
Otherwise this thread will be closed."
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Unread postby matrix » August 29th, 2005, 12:43 pm

Sorry, I had not idea that it would an issue.

The problem is that I have to send the laptop back to the user tomorrow and I was just trying to get as much help as I could in the shortest time possible.

I would appreciate if could still help.

Thank you in advance.
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm
Top

Unread postby Nellie2 » August 29th, 2005, 4:43 pm

The help provided here is free, our helpers put a lot of their own time, unpaid, into helping people get their computers back to a clean and usable state. We also try to educate the users so that they will be able to surf the internet in safety.

Please give your client the url of this forum and we will be happy to help and to educate.

This thread is now closed.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 153 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index