Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinMoviePlugIn


  • This topic is locked This topic is locked

#76
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,

Didn't get with Earthlink yet, but ran all the things you asked me too and also ran a HJT also:

Logfile of HijackThis v1.99.1
Scan saved at 23:01, on 07-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120883553468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156023856312
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe

Will let you know the results after talking with Eartlink bods.
  • 0

Advertisements


#77
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Don

I don't see any malware, just one bit of clutter.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Click on Fix Checked when finished and exit HijackThis.

I will await Earthlink's verdict before looking elsewhere.
  • 0

#78
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,

They have given me a few things to try and I'm not sold on that they are going to work when I get home to try them..........will let you know.
  • 0

#79
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,

Good news bad news.....good I'm on my home PC, but still need help with WinMoviePlugIn. Earthlink folks told me how to find them, but when I deleted the folder they still came back next scan.
Turns out that the Earthlink Protection Center (PCC) does have a report that states where the SpyWare is located:

Start Scan Session: 07-02-18 08:26
PCC Version: 2.0.8.20584
Spyware Engine: 2.3.08
Spyware Definition: 07-01-18
Virus Engine: 4.311.35
Virus Definition: 06-06-02

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: SearchSquire
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\trackhits.cc

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vparivalka.com

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\tracktraff.cc

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\linkautomatici.com

Spyware Scan Detected: EliteMediaPopup
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com

Spyware Scan Detected: Transponder.Bolger
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net

End Scan Session: 07-02-18 08:26
=======================================================================

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net
Action Taken: Failed to Quarantine

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\linkautomatici.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: Transponder.Bolger
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
Action Taken: Failed to Quarantine

Spyware Scan Detected: EliteMediaPopup
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\tracktraff.cc
Action Taken: Failed to Quarantine

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\trackhits.cc
Action Taken: Failed to Quarantine

Spyware Scan Detected: SearchSquire
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vparivalka.com
Action Taken: Failed to Quarantine

And here is what they asked me to do and the results: run with word "regedit" go to the location and in this case I used this one to start with:
Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com
Action Taken: Failed to Quarantine

and when I got to Domains there was only one item in the domain folder and it was not redfunny and whatever it was I could not delete it and they advised me to delete the domain folder which I did, but the next time I ran the PCC scan it was still there and there is no more domains folder?????? Help any ideas or do we think these are not harmful....but I hate to see them each time I scan.

Edited by Don Stewart, 18 February 2007 - 11:08 AM.

  • 0

#80
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Don

I personally do not think for one minute removing the keys will do anything but stop the security suite from throwing up , what is in my opinion is an over-reactive warning.


Please follow these instructions carefully.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line: regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal. Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Open Notepad, and copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixit.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\trackhits.cc]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vparivalka.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\tracktraff.cc]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\linkautomatici.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net]

Locate fixit.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After merged successfully prompt reboot and try the scan again.
  • 0

#81
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Started to do your instructions manually, now logging back onto my home PC so I can copy and paste......will be back with you shortly.
  • 0

#82
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,

No change and in fact I now have 16 instead of 11. Two new ones are Dyfuca.internetOptimizer and one in RED W32/Downloader .gen4 Wow!
Actually still scaning...........
  • 0

#83
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,

Here's the results of the latest PCC scan:

=======================================================================
Start Scan Session: 07-02-18 11:30
PCC Version: 2.0.8.20584
Spyware Engine: 2.3.08
Spyware Definition: 07-02-14
Virus Engine: 4.311.35
Virus Definition: 07-02-15

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Virus Scan Detected: W32/Downloader.gen4
Location: C:\Documents and Settings\Compaq_Owner\.housecall\Quarantine\8db11a04.exe.bac_a03000
Action Taken: Failed to Clean

Virus Scan Detected: W32/Downloader.gen4
Location: C:\Documents and Settings\Compaq_Owner\.housecall\Quarantine\h91746.exe.bac_a03000
Action Taken: Failed to Clean

Spyware Scan Detected: Dyfuca.InternetOptimizer
Location: C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt

Spyware Scan Detected: EliteMediaPopup
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com

Spyware Scan Detected: Transponder.Bolger
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\linkautomatici.com

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vparivalka.com

Spyware Scan Detected: DoubleClick
Location: C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt

Spyware Scan Detected: EliteMediaPopup
Location: C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt

Spyware Scan Detected: SearchSquire
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\trackhits.cc

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\tracktraff.cc

End Scan Session: 07-02-18 11:48
=======================================================================

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net
Action Taken: Failed to Quarantine

Spyware Scan Detected: Transponder.Bolger
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
Action Taken: Failed to Quarantine

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\linkautomatici.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: EliteMediaPopup
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: CoolWebSearch
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: WinMoviePlugin
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: SearchSquire
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\trackhits.cc
Action Taken: Failed to Quarantine

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vparivalka.com
Action Taken: Failed to Quarantine

Spyware Scan Detected: SpywareQuake
Location: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\tracktraff.cc
Action Taken: Failed to Quarantine

Virus Quarantined: W32/Downloader.gen4
Location: C:\Documents and Settings\Compaq_Owner\.housecall\Quarantine\8db11a04.exe.bac_a03000

Virus Quarantined: W32/Downloader.gen4
Location: C:\Documents and Settings\Compaq_Owner\.housecall\Quarantine\h91746.exe.bac_a03000

Spyware Quarantined: EliteMediaPopup
Location: C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt

Spyware Quarantined: Dyfuca.InternetOptimizer
Location: C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
  • 0

#84
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Don

Please go to User Accounts in the Control Panel and create a new account with ADMIN status.

Reboot and logon as the new ID.

AS before, back up the registry.

Run the regedit4 fix again from that account.

Did that remove the registry keys?

------------------------------------------------------------------------

How come your PC is OK on the internet now? What did you have to do?

but when I deleted the folder they still came back next scan

What folder is this?

and when I got to Domains there was only one item in the domain folder and it was not redfunny and whatever it was I could not delete it and they advised me to delete the domain folder which I did, but the next time I ran the PCC scan it was still there and there is no more domains folder?????? Help any ideas or do we think these are not harmful....but I hate to see them each time I scan.

OIf you right click on the registry key, choose PERMISSIONS, is your account included? If not, include it now.

Do I understand you correctly when you say that you cannot actually find those keys by navigating via regedit?
  • 0

#85
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,

Do I need to run another scan (REGEDIT4) or use the last one to paste into notepad, just to see if it works?

How come your PC is OK on the internet now? What did you have to do? They had me Reset web settings and that worked.

but when I deleted the folder they still came back next scan
What folder is this? Folder was "domains"

I'm included under Permissions.

Do I understand you correctly when you say that you cannot actually find those keys by navigating via regedit?

Are "keys" the final path and if so yes I can't see them...could they be hidden keys?
  • 0

Advertisements


#86
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Can't remember how to do a REGEDIT4?
  • 0

#87
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil,
They are still there, but PCC did delete the two new ones!
  • 0

#88
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
This is a copy of the regedit4 from a couple of posts ago.

Please run this from your new ID that should have ADMIN status.

Please follow these instructions carefully.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line: regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal. Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Open Notepad, and copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixit.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\trackhits.cc]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vparivalka.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\tracktraff.cc]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\redfunny.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\linkautomatici.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net]

Locate fixit.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After merged successfully prompt reboot and try the scan again.
  • 0

#89
Don Stewart

Don Stewart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 239 posts
Phil.....off to a class

No change when I run the above process you gave me.
Earthlink had me run a Nortin virus scan to fix the same errors and it found 3 items (none of the original), two I was able to find and delete....can you help me find the third? C:RECYCLER\S-1-5-21-4139845522- and a lot numbers continue followed by \Dc.cpl is infected with WinFixer.
  • 0

#90
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

The file dc.cpl is a new one on me. The file extension cpl is Control Panel. The cpl files normally reside in the C:\windows\system32\ folder. If it has been deleted, it will be in the C:RECYCLER\ folder

To remove the entries from the C:\RECYCLER , right click the Recycle Bin and select empty recycle bin.

But if you now have Norton Antivirus, then it will have made a folder named NPROTECT, you might not be simply able to delete the files of that folder because they are Norton protected files. The only way to delete this folder, NPROTECT, is to START > RUN > type in CMD and hit ENTER, a DOS box will open. At the command prompt, type:

del \?\c:\recycler\nprotect\*.*

That folder will then be deleted. The rest of the files Recycler files and folders can be removed by emptying the Recycle Bin of different user accounts if you have different accounts on your PC.

-----------------------------------------------------------------------

It is possible that the Earthling Protect programme is either seeing corrupted keys or is displaying a ghost item. It is a familiar phenomenon that no one has a good explanation for. Normally if you uninstall the programme seeing the ghosts, reboot and reinstall, it gets cured. I expect this is why Earthlink have adviseed you to use Norton, although it wouldn't be my choice of AV.

If the keys do exist, then this fix will delete them. If they do not exist, it will provide an error code advising.

This is the fix. Please note you need to substitute your name as it appears on your PC' path to the file, into the area which says "YOUR NAME" in the script below.

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Programs to launch on reboot:
C:\Documents and Settings\YOUR NAME\Desktop\fixit.reg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, start The Avenger programme by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • Upon reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log from normal mode, by using Add Reply
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP