Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

worm.win32netbooster[RESOLVED]


  • This topic is locked This topic is locked

#1
jillsusan

jillsusan

    Member

  • Member
  • PipPipPip
  • 145 posts
yesterday my desktop was hijacked and i received a spyware alert warning that says i have worm.win32netbooster, and i need to remove it immediately.... i also get window security alerts, warning me of someone on the internet trying to attack/infect my computer.

I tried to rid them from my pc through my spy sweeper protection & the virus, if that is what it is, would not let me do so.
the warnings constantly appear every few minutes.

My spy sweeper has found a trojan horse: trojan-ace-x
i have quarentineed it. :)

...can any one help me...? will this infection only get worse....? :)

my webroot spy sweeper is blocking the site 77.91.228.183

Edited by jillsusan, 01 April 2008 - 09:15 AM.

  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


Regards,
RatHat
  • 0

#3
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
RatHat your very fast!

i did as you asked.
i did not get an extra.txt to send to you.
i only got the main.txt.
i saved the main.txt on my desktop.
-jill


Deckard's System Scanner v20071014.68
Run by mommy on 2008-04-01 12:50:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as mommy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:42 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Common Files\AOL\1136594310\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mommy\Local Settings\Temporary Internet Files\Content.IE5\EB6XG5ON\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mommy.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1136594310\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrayServer] "C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [smileycons] C:\Program Files\Smileycons\smileycons.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [IncrediMail] "C:\PROGRA~1\INCRED~1\bin\IncMail.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKLM\..\Policies\Explorer\Run: [RC5biAf298] C:\Documents and Settings\All Users\Application Data\vgnyfqza\pqnylqxk.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O21 - SSODL: PrxSrv - {12cdd1d1-1e23-40f0-86a5-bac159192895} - (no file)
O21 - SSODL: vbgtorfd - {D2726346-6F98-4F49-804D-6B22C4CD4D07} - C:\WINDOWS\vbgtorfd.dll
O21 - SSODL: dwnrpofk - {BC3518A8-2FA3-40B5-80AE-15B4171FED37} - C:\WINDOWS\dwnrpofk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://www.news.ch/n...199-gamache.jpg
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6875 bytes

-- Files created between 2008-03-01 and 2008-04-01 -----------------------------

2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\system32taack.exe
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\system32taack.dat
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-28 15:51:49 4096 --a------ C:\WINDOWS\a.bat
2008-03-28 15:51:48 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-03-28 15:51:48 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-03-28 15:51:48 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-03-28 15:51:48 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-03-28 15:51:48 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-03-28 15:51:48 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-28 15:51:48 0 d-------- C:\Documents and Settings\Stephy\Desktopvirii
2008-03-28 15:51:47 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-03-28 15:51:47 0 d-------- C:\WINDOWS\system32smp
2008-03-28 15:51:47 4096 --a------ C:\WINDOWS\system32netode.exe
2008-03-28 15:51:47 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-03-28 15:51:47 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-03-28 15:51:47 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-03-28 15:51:47 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-03-28 15:51:46 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-03-28 15:51:46 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-03-28 15:51:45 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\[email protected]@@k.dll
2008-03-28 15:51:44 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-03-28 15:51:43 4096 --a------ C:\Documents and Settings\Stephy\Desktopfilemanagerclient.exe
2008-03-28 15:51:42 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-03-28 15:51:42 4096 --a------ C:\WINDOWS\system32thun.dll
2008-03-28 15:51:42 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-03-28 15:51:42 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-03-28 15:51:42 4096 --a------ C:\Documents and Settings\Stephy\DesktopFWebdEditor.exe
2008-03-28 15:51:42 4096 --a------ C:\Documents and Settings\Stephy\Desktopfwebd.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32bdn.com
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-28 15:51:41 4096 --a------ C:\WINDOWS\bdn.com
2008-03-28 15:51:40 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-03-28 15:51:40 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-03-28 15:51:39 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-03-28 15:50:47 106496 --a------ C:\WINDOWS\system32\gjolizmp.exe
2008-03-28 15:50:39 0 d-------- C:\Documents and Settings\Stephy\Application Data\PC-Antispyware
2008-03-28 13:07:54 0 d-------- C:\Program Files\PC-Antispyware
2008-03-27 20:20:15 221184 --a------ C:\WINDOWS\vbgtorfd.dll
2008-03-27 20:20:15 200704 --a------ C:\WINDOWS\qvdntlmw.dll
2008-03-27 20:20:15 323584 --a------ C:\WINDOWS\dwnrpofk.dll
2008-03-27 20:17:43 0 d-------- C:\Documents and Settings\All Users\Application Data\vgnyfqza
2008-03-27 20:17:42 90112 --a------ C:\WINDOWS\system32\vuhovsfa.exe


-- Find3M Report ---------------------------------------------------------------

2008-03-31 17:28:03 0 d-------- C:\Program Files\Plaxo
2008-02-26 15:40:32 1618 --a------ C:\Documents and Settings\mommy\Application Data\wklnhst.dat
2008-02-23 22:13:05 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-09 15:00:41 0 d-------- C:\Program Files\Coupons
2008-02-08 13:55:24 0 d-------- C:\Program Files\Google
2008-02-08 11:24:32 0 d-------- C:\Documents and Settings\mommy\Application Data\Google
2008-02-06 11:39:19 0 d-------- C:\Program Files\Common Files
2008-02-05 23:00:43 0 d-------- C:\Program Files\Java
2008-02-05 20:41:18 164 --a------ C:\install.dat
2008-02-05 01:19:35 0 d-------- C:\Program Files\Virtual Earth 3D
2008-02-05 01:17:08 0 d-------- C:\Program Files\QuickTime
2008-02-05 01:13:16 0 d-------- C:\Program Files\Messenger
2008-02-05 01:09:22 0 d-------- C:\Program Files\iTunes
2008-02-04 21:40:05 0 d-------- C:\Program Files\Trend Micro


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}]
03/28/2008 01:08 PM 176128 --------- C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [02/17/2004 05:51 PM]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [02/17/2004 05:51 PM]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [02/17/2004 05:50 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1136594310\ee\AOLSoftware.exe" [05/09/2006 07:24 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 11:59 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"TrayServer"="C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe" [10/04/2006 03:41 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Aim6"="" []
"smileycons"="C:\Program Files\Smileycons\smileycons.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"DW4"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]
"IncrediMail"="C:\PROGRA~1\INCRED~1\bin\IncMail.exe" [10/09/2007 01:02 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

C:\Documents and Settings\mommy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 9:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.protected [3/28/2008 10:41:17 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"RC5biAf298"=C:\Documents and Settings\All Users\Application Data\vgnyfqza\pqnylqxk.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbgtorfd"= {D2726346-6F98-4F49-804D-6B22C4CD4D07} - C:\WINDOWS\vbgtorfd.dll [03/27/2008 12:40 PM 221184]
"dwnrpofk"= {BC3518A8-2FA3-40B5-80AE-15B4171FED37} - C:\WINDOWS\dwnrpofk.dll [03/27/2008 12:40 PM 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\SETUP.EXE
configure\command- D:\SETUP.EXE
install\command- D:\SETUP.EXE




-- End of Deckard's System Scanner: finished at 2008-04-01 12:51:07 ------------
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, lets get to work!

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU.zip on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Right Click HERE and choose Save Target As, in Firefox, Right Click and choose Save Link As.
Save it to the BFU folder you just created.

Whilst you are still in the BFU folder;
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select Adware.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • On completion, allow the computer to be rebooted.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I expect that you are going to need to re-download DSS again, as I see it running from a temp folder, and we have cleaned them out.
So download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, in your next post please include:
  • The MBAM log
  • The contents of Combofix.txt
  • The two DSS logs, main and extra text (which you should have now if you saved DSS to your desktop)

Use two posts if you need to, and the logs are long OK.

Regards,
RatHat
  • 0

#5
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
You said: whilst you are still in the bfu folder start the brute force uninstaller by doubleclicking bfu.exe.. where is the bfu.exe? i have dowloaded the bfu successfully but don't see the bfu.exe.
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
Now see if you can see the bfu.exe file and also Adware.bfu which should be in the same folder.
  • 0

#7
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
I have the adware.bfu...file on my desktop and this is whats in it... there was only one item to uncheck in my computer file and that was the Hide protected operating system files (recommended) option. i am not feeling very confident about this...


# For use with Merijn's Brute Force Uninstaller
# available from http://www.merijn.org/

# Adware.bfu
# Version 1.0.14
# Date: 01/04/08
# Written by RatHat
# With thanks to Metallica

OptionOnDeleteFailUseReboot

OptionSetStatus Killing Processes & Unloading dll's.....

# Start killing Miscellaneous Processes & DLL's

DllUnregister \emlkdvo.dll|1
DllUnregister \egodktf.dll|1
DllUnregister \dopfwrlgwx.dll|1
DllUnregister \ensfolr.dll|1
DllUnregister \toprates.dll|1
DllUnregister \dxpvqlmqng.dll|1
DllUnregister \dxpvqlmgtv.dll|1
DllUnregister \domnftwqpd.dll|1
DllUnregister \winload.dll|1
DllUnregister \voipwet.dll|1
DllUnregister \vipextmst.dll|1
DllUnregister \alxvdvm.dll|1
DllUnregister \ampkfst.dll|1
DllUnregister \aslpmqk.dll|1
DllUnregister \asvdnmo.dll|1
DllUnregister \aswmklt.dll|1
DllUnregister \bgntlvo.dll|1
DllUnregister \bklgvsf.dll|1
DllUnregister \bqxomdo.dll|1
DllUnregister \bvtqfvx.dll|1
DllUnregister \bxsnvqt.dll|1
DllUnregister \gormet.dll|1
DllUnregister \jetctrl.dll|1
DllUnregister \kopmet.dll|1
DllUnregister \leorop.dll|1
DllUnregister \nopzet.dll|1
DllUnregister \pmkret.dll|1
DllUnregister \emlkdvo.dll|1
DllUnregister \dopfwrlgwx.dll|1
DllUnregister \ensfolr.dll|1
DllUnregister \toprates.dll|1
DllUnregister \dxpvqlmqng.dll|1
DllUnregister \dmdqdrxpsr.dll|1
DllUnregister \domnftwqpd.dll|1
DllUnregister \winload.dll|1
DllUnregister \vipextmst.dll|1
DllUnregister \voipwet.dll|1
DllUnregister \hdtip.dll|1
DllUnregister \werbetgxd.dll|1
DllUnregister \sdrmod.dll|1
DllUnregister \blopenvkgq.dll|1
DllUnregister \retnsrp.dll|1
DllUnregister \ttvbonsgr.dll|1
DllUnregister \adsoowf.dll|1
DllUnregister \leosrv.dll|1
DllUnregister \dpvtporrdw.dll|1
DllUnregister \elfwgps.dll|1
DllUnregister \emotrlq.dll|1
DllUnregister \bdmnopx.dll|1
DllUnregister \admggxp.dll|1
DllUnregister \dntpkwolsv.dll|1
DllUnregister \ekxdvft.dll|1
DllUnregister \dmdvpnsop.dll|1
DllUnregister \dopfwrlgfm.dll|1
DllUnregister \dpvtporfgp.dll|1
DllUnregister \ddwlxtqdpn.dll|1
DllUnregister \enqvwkp.dll|1
DllUnregister \agrlmvp.dll|1
DllUnregister \bmlvqkn.dll|1
DllUnregister \nsduo.dll|1
DllUnregister \msmhost.dll|1
DllUnregister \duocore.dll|1
DllUnregister \mxduo.dll|1
DllUnregister \wmpenv.dll|1
DllUnregister \wmpconf.dll|1
DllUnregister \bfrgnos.dll|1
DllUnregister \dwrmntsdnq.dll|1
DllUnregister \edfqvrw.dll|1
DllUnregister \afxlspw.dll|1
DllUnregister \dmdvpnslp.dll|1
DllUnregister \dgtxrdfxlw.dll|1
DllUnregister \alofkmn.dll|1
DllUnregister \bxlrvps.dll|1
DllUnregister \ekvgsnw.dll|1
DllUnregister \dgtxrdfntw.dll|1
DllUnregister \dgtxrdfmng.dll|1
DllUnregister \apdqnxp.dll|1
DllUnregister \btrklfr.dll|1
DllUnregister \dkxrstqwkx.dll|1
DllUnregister \enlfxgw.dll|1
DllUnregister \dkxrstqvql.dll|1
DllUnregister \dkxrstqglq.dll|1
DllUnregister \altvxvm.dll|1
DllUnregister \bokpkov.dll|1
DllUnregister \etlrlws.dll|1
DllUnregister \zip.dll|1
DllUnregister \drnpfdxrfs.dll|1
DllUnregister \drnpfdxrgq.dll|1
DllUnregister \drnpfdxfgd.dll|1
DllUnregister \vbgtorfd.dll|1
DllUnregister \dwnrpofk.dll|1
DllUnregister \qvdntlmw.dll|1

ProcessKill %PROGRAMFILES%\antiviirus.exe|0
ProcessKill %ALLUSERSAPPDATA%\vgnyfqza\pqnylqxk.exe|0

# Start killing FizzleWizzle/CoolBar Processes & DLL's

DllUnregister \iefwbar.dll|1
DllUnregister \coolbar.dll|1

# Start killing NetSky Processes & DLL's

OptionUnloadShell
ProcessKill %WINDIR%\Jammer2nd.exe|0
ProcessKill %WINDIR%\csrss.exe|0
ProcessKill %WINDIR%\wserver.exe|0
ProcessKill %WINDIR%\MsnMsgrs.exe|0
ProcessKill %WINDIR%\winlogon.exe|0
ProcessKill %WINDIR%\svchost.exe|0
ProcessKill %WINDIR%\avpguard.exe|0
ProcessKill %WINDIR%\AVBgle.exe|0
ProcessKill %WINDIR%\FVProtect.exe|0
ProcessKill %WINDIR%\SysMonXP.exe|0
ProcessKill %WINDIR%\PandaAVEngine.exe|0
ProcessKill %WINDIR%\EasyAV.exe|0
ProcessKill %WINDIR%\VisualGuard.exe|0
ProcessKill %WINDIR%\FirewallSvr.exe|0
ProcessKill %WINDIR%\EasyAV.exe|0
ProcessKill %WINDIR%\EastAV.exe|0
ProcessKill %WINDIR%\fqspogw.exe|0

# Start killing Fun Web Products Processes & DLL's

ProcessKill \mwsoemon.exe|1

# Start Killing Brilliant Digital Processes & DLL's

OptionUnloadShell
ProcessKill \bdeviewer.exe|0
ProcessKill \bdeclean.exe|1

DllUnregister \bdeengine2.dll|1
DllUnregister \BDEimage.dll|1
DllUnregister \bdeplayer2.dll|0
DllUnregister \bdedetect1.dll|1
DllUnregister \bde3d_ref2.dll|1
DllUnregister \bdedata2.dll|1
DllUnregister \bdedownloader.dll|1
DllUnregister \bdefdi.dll|1
DllUnregister \bdeinsta2.dll|1
DllUnregister \bdeload.dll|1
DllUnregister \BDERastDx6_30002.dll|1
DllUnregister \BDERastMMX_30001.dll|1
DllUnregister \BDESac10.dll|1
DllUnregister \BDESac24.dll|1

OptionSetStatus Cleaning Registry Entries.....

# Remove Any Restrictions

RegDelValue HKCU\software\microsoft\windows\currentversion\policies\system|DisableTaskMgr
RegDelValue HKCU\software\microsoft\windows\currentversion\policies\system|DisableRegistryTools
RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableCMD
RegSetDwordValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Hidden|1
RegSetDwordValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|HideFileExt|0
RegSetDwordValue HKCU\software\microsoft\windows\currentversion\policies\explorer|NoRun|0
RegSetDwordValue HKCU\software\microsoft\windows\currentversion\policies\explorer|NoFolderOptions|0
RegSetDwordValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSetTaskbar|0

RegSetDwordValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Hidden|1
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|HideFileExt|0
RegSetDwordValue HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate|DoNotAllowXPSP2|0
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer|NoFind|0
RegSetDwordValue HKLM\software\microsoft\windows\currentversion\policies\explorer|NoFolderOptions|0


# Clean Registry Entries Seen Bundled With Netsky

RegDelValueIfDataContainsText HKCU\Software\Microsoft\Internet Explorer\Main|Search|softwarereferral|0
RegDelValueIfDataContainsText HKCU\Software\Microsoft\Internet Explorer\Main|Start Page|softwarereferral|0
RegDelValueIfDataContainsText HKCU\Software\Microsoft\Internet Explorer\Main|Search Bar|myway.com|0

RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{47906C8A-7A72-45A8-AA59-0CEC20BD3B36}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{45E9CE94-2C67-4230-92D0-E64ACD6EBA7F}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{45E9CE94-2C67-4230-92D0-E64ACD6EBA7F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{3723900A-B26F-40EC-B606-B7B37132B83F}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{3723900A-B26F-40EC-B606-B7B37132B83F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{A972081B-E5FE-45E4-BE29-856D23403C4F}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A972081B-E5FE-45E4-BE29-856D23403C4F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{3FD92B49-9C06-4EBA-9580-056159561908}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{3FD92B49-9C06-4EBA-9580-056159561908}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{224E1433-F086-4BB1-B791-AF87F7629D93}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{224E1433-F086-4BB1-B791-AF87F7629D93}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{382C8A97-BFEF-47B5-9770-87C4DE651E37}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{382C8A97-BFEF-47B5-9770-87C4DE651E37}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{16A0662E-AC21-4AD9-89E8-7495AC5ACE93}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{521A5897-9EA7-43B4-A51D-B4C11D67BEEF}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{521A5897-9EA7-43B4-A51D-B4C11D67BEEF}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{9EF873D0-0259-4D2A-AA60-F61FA5B28FE8}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{9EF873D0-0259-4D2A-AA60-F61FA5B28FE8}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{573E45AC-F20E-4DAF-AF6C-0775714BA0C1}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{573E45AC-F20E-4DAF-AF6C-0775714BA0C1}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{13EDA0D4-F00D-43B9-8EF2-6313909D3143}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{13EDA0D4-F00D-43B9-8EF2-6313909D3143}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{940EBD8D-A3B7-44F9-A850-F60E76BE3B22}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{940EBD8D-A3B7-44F9-A850-F60E76BE3B22}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{7D787886-3B24-401C-A7BC-AF950A1C3CAC}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7D787886-3B24-401C-A7BC-AF950A1C3CAC}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{5B22CFDE-D43C-4F5C-8F6D-A20C959B85F7}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{5B22CFDE-D43C-4F5C-8F6D-A20C959B85F7}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{339074ED-B124-4693-AC31-6BCC08B76030}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{339074ED-B124-4693-AC31-6BCC08B76030}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{6805E89A-2BD3-44B7-8B13-3278155F5D5E}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{6805E89A-2BD3-44B7-8B13-3278155F5D5E}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{7C54D75A-5D72-48B0-BE95-50350CD87A38}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7C54D75A-5D72-48B0-BE95-50350CD87A38}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{2106BEDE-F5E8-4DE8-A081-A7E5EAD1529B}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{2106BEDE-F5E8-4DE8-A081-A7E5EAD1529B}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{7B1E78A2-2FC8-4947-A9D1-5177D10B38E6}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7B1E78A2-2FC8-4947-A9D1-5177D10B38E6}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{BFAA078B-58E2-4E6C-BD54-BA2A5C6DA153}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{BFAA078B-58E2-4E6C-BD54-BA2A5C6DA153}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{1817219B-D6DC-450A-B913-41F12BC05019}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{1817219B-D6DC-450A-B913-41F12BC05019}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{00C1B214-1408-4F51-90AE-7EDAC2FAC36E}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{00C1B214-1408-4F51-90AE-7EDAC2FAC36E}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{FFB13247-794A-4E4F-8B97-937F906013D1}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{FFB13247-794A-4E4F-8B97-937F906013D1}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{B2F479AD-17DE-4F73-B844-7CF69003B916}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{B2F479AD-17DE-4F73-B844-7CF69003B916}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{60570909-486A-4609-B7AE-CBCAA3831168}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{60570909-486A-4609-B7AE-CBCAA3831168}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{CBBF7BAC-D39B-4FC2-930E-8C2F6C73B45F}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{CBBF7BAC-D39B-4FC2-930E-8C2F6C73B45F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{C37757F5-7FB4-4273-B3BE-E81667449196}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C37757F5-7FB4-4273-B3BE-E81667449196}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{C5C1C68B-79A3-461B-BF41-410CF67FABB4}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C5C1C68B-79A3-461B-BF41-410CF67FABB4}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{A133882E-2F89-47A3-A01C-8FA1D04B8E57}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A133882E-2F89-47A3-A01C-8FA1D04B8E57}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{71EEB25C-DAB0-4675-8264-31391E46335B}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{71EEB25C-DAB0-4675-8264-31391E46335B}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{576A0968-A5A3-4772-81B8-171E9F2032D9}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{576A0968-A5A3-4772-81B8-171E9F2032D9}

RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{5415A533-17B1-4A38-B3CA-70AEEF8C41AC}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5415A533-17B1-4A38-B3CA-70AEEF8C41AC}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{038F228B-EED3-4A87-A565-F88FC99EBA91}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{038F228B-EED3-4A87-A565-F88FC99EBA91}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{5085333B-FD15-4754-A571-852F7077C5F2}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{3DAF1739-AB9E-493E-8DD7-F65CDF363BCB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3DAF1739-AB9E-493E-8DD7-F65CDF363BCB}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{5C28ED27-37BE-40EA-9AEB-FCC19F72682F}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C28ED27-37BE-40EA-9AEB-FCC19F72682F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{87EF7048-8905-4E82-862E-65004D4DFA80}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87EF7048-8905-4E82-862E-65004D4DFA80}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{986F4076-F780-4FD2-93C7-6A8C9DAFD7B0}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{986F4076-F780-4FD2-93C7-6A8C9DAFD7B0}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{1AC7107A-938F-4347-864C-C51E49EC586E}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AC7107A-938F-4347-864C-C51E49EC586E}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{2B159383-78BB-4D21-A799-95AABC81ACED}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B159383-78BB-4D21-A799-95AABC81ACED}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{059947A2-838E-4773-9EE2-8AB8F53C2EDE}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{059947A2-838E-4773-9EE2-8AB8F53C2EDE}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{31DE3194-C748-48BB-B620-2D0156B5E1AD}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31DE3194-C748-48BB-B620-2D0156B5E1AD}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{5F1F01A9-4013-4C28-90E9-8C50F03B5E37}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F1F01A9-4013-4C28-90E9-8C50F03B5E37}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F08487B1-AFEC-45CF-B2E9-D05DEE137D22}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{83CDEF6B-98D2-4C60-84FC-00C44606A4F8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CDEF6B-98D2-4C60-84FC-00C44606A4F8}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{56F043F0-CD47-47AE-B459-416A07545CA1}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F043F0-CD47-47AE-B459-416A07545CA1}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{A8565FBC-8D53-4D4F-9BB0-CBC68A22B126}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8565FBC-8D53-4D4F-9BB0-CBC68A22B126}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{BC165164-78D0-4209-A878-8E6692C768FF}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC165164-78D0-4209-A878-8E6692C768FF}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{FC516858-0D83-408E-9A76-B16DD182ADAA}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC516858-0D83-408E-9A76-B16DD182ADAA}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{D79A1DFF-DF93-4AE0-851C-A1F8CA9C78F5}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D79A1DFF-DF93-4AE0-851C-A1F8CA9C78F5}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{F9FFA9CB-C9C9-42D5-8F4D-CFA33D45D572}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9FFA9CB-C9C9-42D5-8F4D-CFA33D45D572}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{E48B3E0C-2D23-4249-BE65-23A8719284E3}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E48B3E0C-2D23-4249-BE65-23A8719284E3}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{98B55BD1-39BB-4446-895D-BF6A7A23CE70}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98B55BD1-39BB-4446-895D-BF6A7A23CE70}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{4BF7B3BF-B8B5-439D-A9EB-9272CB92186F}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4BF7B3BF-B8B5-439D-A9EB-9272CB92186F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{65990097-F699-4216-9270-80572B89D23F}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65990097-F699-4216-9270-80572B89D23F}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8FC29A8D-F29D-477E-B428-0F942E23A960}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{E587DEAB-947E-4BF0-8439-BDC82913A9AE}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E587DEAB-947E-4BF0-8439-BDC82913A9AE}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{208D7BCC-9857-4C9E-823B-D04E72490A67}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{208D7BCC-9857-4C9E-823B-D04E72490A67}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{76F30661-76C7-48CD-B18E-64F388AE030B}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76F30661-76C7-48CD-B18E-64F388AE030B}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{6FFDE480-14C1-43FC-BEC1-CA97A2541FFD}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FFDE480-14C1-43FC-BEC1-CA97A2541FFD}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{81F4697D-617D-40B4-85BA-C7684D9BC543}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81F4697D-617D-40B4-85BA-C7684D9BC543}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{E3FB9237-4475-437B-8C10-299097A8C0A8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3FB9237-4475-437B-8C10-299097A8C0A8}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{858D0A33-C1E1-48BE-AF1D-7FC2088651FD}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{858D0A33-C1E1-48BE-AF1D-7FC2088651FD}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{7B6C5DCC-59DE-407C-933D-DEBC2CEFC394}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B6C5DCC-59DE-407C-933D-DEBC2CEFC394}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{CD6E6FC0-7BED-4DE5-B37E-FB7CF0A567DF}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD6E6FC0-7BED-4DE5-B37E-FB7CF0A567DF}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{83BA32CB-81AD-44A3-A0BE-9924A258931C}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83BA32CB-81AD-44A3-A0BE-9924A258931C}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{6BF442E4-D165-46BD-B4B9-D6A69F1C20BA}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BF442E4-D165-46BD-B4B9-D6A69F1C20BA}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{4A7A1FA6-EA33-48B7-AC8C-8E036244F665}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A7A1FA6-EA33-48B7-AC8C-8E036244F665}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{31BE1B95-DE72-41F3-A6AD-3E38648CA2D8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31BE1B95-DE72-41F3-A6AD-3E38648CA2D8}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{505087B6-49F1-4B75-853B-47BD7BF30A30}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{505087B6-49F1-4B75-853B-47BD7BF30A30}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{4FF50038-E6E1-4085-B5B4-C4BB10871498}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4FF50038-E6E1-4085-B5B4-C4BB10871498}

RegDelValue HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
RegDelValue HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{87766247-311C-43B4-8499-3D5FEC94A183}

RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|alxvdvm
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|ampkfst
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|aslpmqk
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|asvdnmo
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|aswmklt
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bgntlvo
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bklgvsf
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bqxomdo
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bvtqfvx
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bxsnvqt
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|gormet
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|jetctrl
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|kopmet
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|leorop
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|nopzet
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|pmkret
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|afxlspw
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bfrgnos
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bdmnopx
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|admggxp
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|admgcx
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bdmanager
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bgrlsmn
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|adsoowf
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|agrlmvp
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bmlvqkn
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|msmhost
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|wmpenv
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|wmpconf
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|alofkmn
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bxlrvps
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|btrklfr
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|apdqnxp
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|bokpkov
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|altvxvm
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|zip
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|vbgtorfd
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|dwnrpofk

RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|OneMoreKey
RegDelValueIfDataContainsText HKCU\\software\microsoft\internet explorer\desktop\components\1|Source|privacy_danger
RegDelValueIfDataContainsText HKCU\\software\microsoft\internet explorer\desktop\components\1|FriendlyName|Privacy Protection

# Clean Security Toolbar Registry Changes

RegDeleteKey HKCR\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}
RegDeleteKey HKCR\clsid\{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
RegDeleteKey HKCR\clsid\{736b5468-bdad-41be-92d0-22ae2ddf7bcb}
RegDeleteKey HKCR\clsid\{a95b2816-1d7e-4561-a202-68c0de02353a}

RegDeleteKey HKCU\software\microsoft\internet explorer\toolbar\webbrowser|{11a69ae4-fbed-4832-a2bf-45af82825583}
RegDeleteKey HKCU\software\microsoft\internet explorer\toolbar\webbrowser|{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
RegDeleteKey HKLM\software\microsoft\internet explorer\toolbar|{11a69ae4-fbed-4832-a2bf-45af82825583}
RegDeleteKey HKLM\software\microsoft\internet explorer\toolbar|{23ed2206-856d-461a-bbcf-1c2466ac5ae3}
RegDeleteKey HKLM\software\microsoft\internet explorer\toolbar|{736b5468-bdad-41be-92d0-22ae2ddf7bcb}
RegDeleteKey HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{a95b2816-1d7e-4561-a202-68c0de02353a}


# Clean FizzleWizzle/CoolBar Registry Changes

RegDeleteKey HKCR\clsid\{2342db04-08ce-4cf6-976d-bd9efa960efb}
RegDeleteKey HKCR\clsid\{9056a11f-5ea6-4a67-bde9-8d3c7c453dac}
RegDeleteKey HKCR\clsid\{92f02779-6d88-4958-8ad3-83c12d86adc7}
RegDeleteKey HKCR\fizzlebar.clsdockwindow
RegDeleteKey HKCR\fizzlebar.clsfwbar
RegDeleteKey HKCR\interface\{3116ed38-8599-4261-8f81-f43266ffaaff}
RegDeleteKey HKCR\interface\{36a89c39-da76-49d6-98f8-0cbec6b8b352}
RegDeleteKey HKCR\typelib\{549ad254-492d-42b5-8909-34f14348d4bc}
RegDeleteKey HKLM\software\fwbar2
RegDeleteKey HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{7d6bec01-15e2-46f0-8ed3-d715de09a8f9}
RegDeleteKey HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{9056a11f-5ea6-4a67-bde9-8d3c7c453dac}
RegDeleteKey HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{2AF8CED6-5BD8-4310-A90C-9664EFB16B10}

RegDelValue HKLM\software\microsoft\internet explorer\toolbar|{92f02779-6d88-4958-8ad3-83c12d86adc7}
RegDelValue HKLM\software\microsoft\internet explorer\toolbar|{A49AA76F-7215-4F80-97D6-9A7E16A5FEE1}


# Clean NetSky Registry Changes

RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BagleAV
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EasyAV
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|FirewallSvr
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ICQ Net
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Jammer2nd
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSInfo
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MsnMsgr
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|My AV
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NetDy
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Norton Antivirus AV
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PandaAVEngine
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SysMonXP
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wserver
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Zone Labs Client Ex
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EastAV
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|RC5biAf298

# Clean FunWebProducts Registry Changes

RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|My Web Search Bar
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MyWebSearch Email Plugin

RegDeleteKey HKCR\FunWebProducts.HTMLMenu
RegDeleteKey HKCR\FunWebProducts.HTMLMenu.1
RegDeleteKey HKCR\FunWebProducts.HTMLMenu.2
RegDeleteKey HKCR\FunWebProducts.HistoryKillerScheduler
RegDeleteKey HKCR\FunWebProducts.HistoryKillerScheduler.1
RegDeleteKey HKCR\FunWebProducts.HistorySwatterControlBar
RegDeleteKey HKCR\FunWebProducts.HistorySwatterControlBar.1
RegDeleteKey HKCR\FunWebProducts.IECookiesManager
RegDeleteKey HKCR\FunWebProducts.IECookiesManager.1
RegDeleteKey HKCR\FunWebProducts.KillerObjManager
RegDeleteKey HKCR\FunWebProducts.KillerObjManager.1
RegDeleteKey HKCR\FunWebProducts.PopSwatterBarButton
RegDeleteKey HKCR\FunWebProducts.PopSwatterBarButton.1
RegDeleteKey HKCR\FunWebProducts.PopSwatterSettingsControl
RegDeleteKey HKCR\FunWebProducts.PopSwatterSettingsControl.1
RegDeleteKey HKCR\FunWebProductsInstaller.Start
RegDeleteKey HKCR\FunWebProductsInstaller.Start.1
RegDeleteKey HKCR\FunWebProducts.BrowserOverlayBarButton
RegDeleteKey HKCR\FunWebProducts.BrowserOverlayBarButton.1
RegDeleteKey HKCR\FunWebProducts.BrowserOverlayEmbed
RegDeleteKey HKCR\FunWebProducts.BrowserOverlayEmbed.1
RegDeleteKey HKCR\FunWebProducts.DataControl
RegDeleteKey HKCR\FunWebProducts.DataControl.1
RegDeleteKey HKCR\FunWebProducts.ShellViewControl
RegDeleteKey HKCR\FunWebProducts.ShellViewControl.1
RegDeleteKey HKCR\MTSScreenSaverControl.ScreenSaverInstaller
RegDeleteKey HKCR\MyWayToolBar.NetscapeShutdown
RegDeleteKey HKCR\MyWayToolBar.NetscapeShutdown.1
RegDeleteKey HKCR\MyWayToolBar.NetscapeStartup
RegDeleteKey HKCR\MyWayToolBar.NetscapeStartup.1
RegDeleteKey HKCR\MyWayToolBar.SettingsPlugin
RegDeleteKey HKCR\MyWayToolBar.SettingsPlugin.1
RegDeleteKey HKCR\MyWebSearch.HTMLPanel
RegDeleteKey HKCR\MyWebSearch.HTMLPanel.1
RegDeleteKey HKCR\MyWebSearch.OutlookAddin
RegDeleteKey HKCR\MyWebSearch.OutlookAddin.1
RegDeleteKey HKCR\MyWebSearch.PseudoTransparentPlugin
RegDeleteKey HKCR\MyWebSearch.PseudoTransparentPlugin.1
RegDeleteKey HKCR\MyWebSearchToolBar.SettingsPlugin
RegDeleteKey HKCR\MyWebSearchToolBar.SettingsPlugin.1
RegDeleteKey HKCR\MyWebSearch.ChatSessionPlugin
RegDeleteKey HKCR\MyWebSearch.ChatSessionPlugin.1
RegDeleteKey HKCR\MyWebSearchToolBar.ToolbarPlugin
RegDeleteKey HKCR\MyWebSearchToolBar.ToolbarPlugin.1
RegDeleteKey HKCR\ScreenSaverControl.ScreenSaverInstaller
RegDeleteKey HKCR\ScreenSaverConntrol.ScreenSaverInstaller.1

RegDeleteKey HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}
RegDeleteKey HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
RegDeleteKey HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCR\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70}
RegDeleteKey HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
RegDeleteKey HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}
RegDeleteKey HKCR\CLSID\{25560540-9571-4D7B-9389-0F166788785A}
RegDeleteKey HKCR\CLSID\{2EFF3CF7-99C1-4c29-BC2B-68E057E22340}
RegDeleteKey HKCR\CLSID\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}
RegDeleteKey HKCR\CLSID\{3E720452-B472-4954-B7AA-33069EB53906}
RegDeleteKey HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}
RegDeleteKey HKCR\CLSID\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}
RegDeleteKey HKCR\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\CLSID\{84DA4FDF-A1CF-4195-8688-3E961F505983}
RegDeleteKey HKCR\CLSID\{8E6F1832-9607-4440-8530-13BE7C4B1D14}
RegDeleteKey HKCR\CLSID\{938AA51A-996C-4884-98CE-80DD16A5C9DA}
RegDeleteKey HKCR\CLSID\{98D9753D-D73B-42D5-8C85-4469CDA897AB}
RegDeleteKey HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
RegDeleteKey HKCR\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}
RegDeleteKey HKCR\CLSID\{A6573479-9075-4A65-98A6-19FD29CF7374}
RegDeleteKey HKCR\CLSID\{A9571378-68A1-443d-B082-284F960C6D17}
RegDeleteKey HKCR\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}
RegDeleteKey HKCR\CLSID\{B813095C-81C0-4E40-AA14-67520372B987}
RegDeleteKey HKCR\CLSID\{C9D7BE3E-141A-4C85-8CD6-32461F3DF2C7}
RegDeleteKey HKCR\CLSID\{CFF4CE82-3AA2-451F-9B77-7165605FB835}
RegDeleteKey HKCR\CLSID\{D778513B-1C40-4819-B0C5-49E40B39AFD0}
RegDeleteKey HKCR\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805}
RegDeleteKey HKCR\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612}

RegDeleteKey HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}
RegDeleteKey HKCR\Interface\{120927BF-1700-43BC-810F-FAB92549B390}
RegDeleteKey HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}
RegDeleteKey HKCR\Interface\{1F52A5FA-A705-4415-B975-88503B291728}
RegDeleteKey HKCR\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}
RegDeleteKey HKCR\Interface\{2763E333-B168-41A0-A112-D35F96F410C0}
RegDeleteKey HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}
RegDeleteKey HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
RegDeleteKey HKCR\Interface\{38A7C9DA-8DB7-4D0F-A7B1-C4B1A305BDDB}
RegDeleteKey HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}
RegDeleteKey HKCR\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}
RegDeleteKey HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906}
RegDeleteKey HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
RegDeleteKey HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}
RegDeleteKey HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
RegDeleteKey HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}
RegDeleteKey HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}
RegDeleteKey HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
RegDeleteKey HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\Interface\{8D292EC0-6792-4A38-82ED-73A087E41BA6}
RegDeleteKey HKCR\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}
RegDeleteKey HKCR\Interface\{991AAC62-B100-47CE-8B75-253965244F69}
RegDeleteKey HKCR\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}
RegDeleteKey HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
RegDeleteKey HKCR\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}
RegDeleteKey HKCR\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}
RegDeleteKey HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}
RegDeleteKey HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
RegDeleteKey HKCR\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}
RegDeleteKey HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
RegDeleteKey HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
RegDeleteKey HKCR\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}

RegDeleteKey HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCR\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A}
RegDeleteKey HKCR\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554}
RegDeleteKey HKCR\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906}
RegDeleteKey HKCR\TypeLib\{621FEACD-8857-43A6-AE26-451D670D5370}
RegDeleteKey HKCR\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9}
RegDeleteKey HKCR\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C}
RegDeleteKey HKCR\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14}
RegDeleteKey HKCR\TypeLib\{98635087-3F5D-418F-990C-B1EFE0797A3B}
RegDeleteKey HKCR\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144}
RegDeleteKey HKCR\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}
RegDeleteKey HKCR\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612}
RegDeleteKey HKCR\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C}

RegDeleteKey HKCR\MIME\Database\Content Type\application/x-f3embed

RegDeleteKey HKCR\Software\Excite
RegDeleteKey HKCR\Software\Fun Web Products
RegDeleteKey HKCR\Software\MyWebSearch

RegDeleteKey HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}
RegDeleteKey HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
RegDeleteKey HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search

RegDeleteKey HKCU\Software\Excite
RegDeleteKey HKCU\Software\Fun Web Products
RegDeleteKey HKCU\Software\MyWebSearch

RegDeleteKey HKLM\SOFTWARE\Microsoft Office\Outlook Addins\MyWebSearch.OutlookAddin
RegDeleteKey HKLM\SOFTWARE\Microsoft Office\Word Addins\MyWebSearch.OutlookAddin
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3E720452-B472-4954-B7AA-33069EB53906}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07B18EAB-A523-4961-B6BB-170DE4475CCA}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExciteInstaller
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FunWebProductsInstaller
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Global Search Uninstall
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall
RegDeleteKey HKLM\SOFTWARE\MyWebSearch
RegDeleteKey HKLM\SOFTWARE\FocusInteractive
RegDeleteKey HKLM\SOFTWARE\Fun Web Products
RegDeleteKey HKLM\SOFTWARE\FunWebProducts
RegDeleteKey HKLM\SOFTWARE\FunWebProducts-MyTotalSearch
RegDeleteKey HKLM\SOFTWARE\MyGlobalSearch
RegDeleteKey HKLM\SOFTWARE\MyWay
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A21-692B-4205-9CAD-2626E4993404}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

RegDelValue HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44cf-8957-5838F569A31D}
RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run|MyWebSearch Email Plugin

RegDelValue HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\sources|{f3PopularScreensavers}
RegDelValue HKLM\Software\Netscape\Netscape Navigator\Automation Startup|MyWayToolBar.NetscapeStartup.1
RegDelValue HKLM\Software\Netscape\Netscape Navigator\Automation Shutdown|MyWayToolBar.NetscapeShutdown.1
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|My Web Search Bar
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MyWebSearch Email Plugin
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform|FunWebProducts

RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run|MyWebSearch Email Plugin


# Clean Brilliant Digital Registry Changes

RegDeleteKey HKCR\.b3d
RegDeleteKey HKCR\.b3dini
RegDeleteKey HKCR\.s3d
RegDeleteKey HKCR\b3dini_auto_file
RegDeleteKey HKCR\b3d_auto_file
RegDeleteKey HKCR\BDEPLAYER.BDEPlayerCtrl
RegDeleteKey HKCR\BDEPLAYER.BDEPlayerCtrl.1
RegDeleteKey HKCR\BDESmartInstaller.BDESmartInstaller
RegDeleteKey HKCR\BDESmartInstaller.BDESmartInstaller.1
RegDeleteKey HKCR\s3d_auto_file
RegDeleteKey HKCR\CLSID\{51958169-D5E3-11D1-AA42-0000E842E40A}
RegDeleteKey HKCR\CLSID\{67925165-C4B6-11D2-B9C6-0000E84F59A6}
RegDeleteKey HKCR\Interface\{51958167-D5E3-11D1-AA42-0000E842E40A}
RegDeleteKey HKCR\Interface\{51958168-D5E3-11D1-AA42-0000E842E40A}
RegDeleteKey HKCR\Interface\{67925164-C4B6-11D2-B9C6-0000E84F59A6}
RegDeleteKey HKCR\TypeLib\{51958166-D5E3-11D1-AA42-0000E842E40A}
RegDeleteKey HKCR\TypeLib\{82FC7881-AACC-11D2-B9C6-0000E842E40A}

RegDeleteKey HKLM\SOFTWARE\Brilliant Digital Entertainment
RegDeleteKey HKCU\SOFTWARE\Brilliant Digital Entertainment

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bdeplayer


# Clean Adware Gain Registry Changes

RegDeleteKey HKCR\GainPlugin.GainPluginCtrl
RegDeleteKey HKCR\GainPlugin.GainPluginCtrl.1
RegDeleteKey HKCR\GSYOutlookAddin.GSYAddinObj
RegDeleteKey HKCR\GSYOutlookAddin.GSYAddinObj.1
RegDeleteKey HKCR\HDPlugin.HDPluginCtrl
RegDeleteKey HKCR\HDPlugin.HDPluginCtrl.1
RegDeleteKey HKCR\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
RegDeleteKey HKCR\CLSID\{309A4386-D229-42DD-BA17-983747DA35B0}
RegDeleteKey HKCR\CLSID\{42040532-2221-4EF7-8F16-9779AB7AAA98}
RegDeleteKey HKCR\CLSID\{CC90CDA0-74A0-45b4-80EF-D89CA8C249B8}
RegDeleteKey HKCR\CLSID\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0}
RegDeleteKey HKCR\Interface\{22D34833-06F9-4CE6-9FF7-CE4DA0BA351D}
RegDeleteKey HKCR\Interface\{42040530-2221-4EF7-8F16-9779AB7AAA98}
RegDeleteKey HKCR\Interface\{6DA65196-9CF9-48C9-9DB2-28742FCC56BE}
RegDeleteKey HKCR\Interface\{A2BA5E71-5BE3-4007-AC48-157823FB63FB}
RegDeleteKey HKCR\TypeLib\{2EC7A834-9C5E-4154-BADC-0D86A2EDC82D}
RegDeleteKey HKCR\TypeLib\{42040531-2221-4EF7-8F16-9779AB7AAA98}
RegDeleteKey HKCR\TypeLib\{8642D0F2-37CC-46B7-AA5B-399E6E68C626}
RegDeleteKey HKCR\TypeLib\{B699B1B8-ADD0-4835-8602-1548200FCDD5}

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DashBar
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Date Manager
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GotSmiley
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrecisionTime
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weatherscope
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecureAlert
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A840E1E-2BA8-47de-923E-0E00407EB530}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\={6C8DBEC0-8052-11d5-A9D5-00500413153C}


OptionPauseBetweenCmds 50
OptionSetStatus Removing Files & Folders.....

# Start Removing Files & Folders Seen Bundled With Netsky

FileDelete %WINDIR%\blopenv*.dll
FileDelete %WINDIR%\domnft*.dll
FileDelete %WINDIR%\dmdqdrx*.dll
FileDelete %WINDIR%\dxpvqlm*.dll
FileDelete %WINDIR%\dntpkwo*.dll

FileDelete %WINDIR%\dmdvpnkgn.dll
FileDelete %WINDIR%\alxvdvm.dll
FileDelete %WINDIR%\ampkfst.dll
FileDelete %WINDIR%\aslpmqk.dll
FileDelete %WINDIR%\asvdnmo.dll
FileDelete %WINDIR%\aswmklt.dll
FileDelete %WINDIR%\bgntlvo.dll
FileDelete %WINDIR%\bklgvsf.dll
FileDelete %WINDIR%\bqxomdo.dll
FileDelete %WINDIR%\bvtqfvx.dll
FileDelete %WINDIR%\bxsnvqt.dll
FileDelete %WINDIR%\gormet.dll
FileDelete %WINDIR%\jetctrl.dll
FileDelete %WINDIR%\kopmet.dll
FileDelete %WINDIR%\leorop.dll
FileDelete %WINDIR%\nopzet.dll
FileDelete %WINDIR%\pmkret.dll
FileDelete %WINDIR%\emlkdvo.dll
FileDelete %WINDIR%\egodktf.dll
FileDelete %WINDIR%\dopfwrlgwx.dll
FileDelete %WINDIR%\ensfolr.dll
FileDelete %WINDIR%\toprates.dll
FileDelete %WINDIR%\dxpvqlmqng.dll
FileDelete %WINDIR%\dmdqdrxpsr.dll
FileDelete %WINDIR%\dmdqdrxgxq.dll
FileDelete %WINDIR%\domnftwqpd.dll
FileDelete %WINDIR%\winload.dll
FileDelete %WINDIR%\vipextmst.dll
FileDelete %WINDIR%\voipwet.dll
FileDelete %WINDIR%\hdtip.dll
FileDelete %WINDIR%\werbetgxd.dll
FileDelete %WINDIR%\sdrmod.dll
FileDelete %WINDIR%\blopenvkgq.dll
FileDelete %WINDIR%\retnsrp.dll
FileDelete %WINDIR%\ttvbonsgr.dll
FileDelete %WINDIR%\leosrv.dll
FileDelete %WINDIR%\dpvtporrdw.dll
FileDelete %WINDIR%\elfwgps.dll
FileDelete %WINDIR%\emotrlq.dll
FileDelete %WINDIR%\bdmnopx.dll
FileDelete %WINDIR%\admggxp.dll
FileDelete %WINDIR%\admgcx.dll
FileDelete %WINDIR%\bdmanager.dll
FileDelete %WINDIR%\dntpkwolsv.dll
FileDelete %WINDIR%\dntpkwoowx.dll
FileDelete %WINDIR%\ekxdvft.dll
FileDelete %WINDIR%\bgrlsmn.dll
FileDelete %WINDIR%\adsoowf.dll
FileDelete %WINDIR%\emotrlq.dll
FileDelete %WINDIR%\epxonwo.dll
FileDelete %WINDIR%\dmdvpnsop.dll
FileDelete %WINDIR%\dopfwrlgfm.dll
FileDelete %WINDIR%\dpvtporfgp.dll
FileDelete %WINDIR%\ddwlxtqdpn.dll
FileDelete %WINDIR%\enqvwkp.dll
FileDelete %WINDIR%\agrlmvp.dll
FileDelete %WINDIR%\bmlvqkn.dll
FileDelete %WINDIR%\nsduo.dll
FileDelete %WINDIR%\msmhost.dll
FileDelete %WINDIR%\duocore.dll
FileDelete %WINDIR%\mxduo.dll
FileDelete %WINDIR%\wmpenv.dll
FileDelete %WINDIR%\wmpconf.dll
FileDelete %WINDIR%\bfrgnos.dll
FileDelete %WINDIR%\dwrmntsdnq.dll
FileDelete %WINDIR%\edfqvrw.dll
FileDelete %WINDIR%\afxlspw.dll
FileDelete %WINDIR%\dmdvpnslp.dll
FileDelete %WINDIR%\dmdvpnvmq.dll
FileDelete %WINDIR%\emotigt.dll
FileDelete %WINDIR%\dgtxrdfxlw.dll
FileDelete %WINDIR%\alofkmn.dll
FileDelete %WINDIR%\bxlrvps.dll
FileDelete %WINDIR%\ekvgsnw.dll
FileDelete %WINDIR%\dgtxrdfntw.dll
FileDelete %WINDIR%\dgtxrdfmng.dll
FileDelete %WINDIR%\apdqnxp.dll
FileDelete %WINDIR%\btrklfr.dll
FileDelete %WINDIR%\dkxrstqwkx.dll
FileDelete %WINDIR%\enlfxgw.dll
FileDelete %WINDIR%\dkxrstqvql.dll
FileDelete %WINDIR%\dkxrstqglq.dll
FileDelete %WINDIR%\altvxvm.dll
FileDelete %WINDIR%\bokpkov.dll
FileDelete %WINDIR%\etlrlws.dll
FileDelete %WINDIR%\drnpfdxrfs.dll
FileDelete %WINDIR%\drnpfdxrgq.dll
FileDelete %WINDIR%\drnpfdxvsl.dll
FileDelete %WINDIR%\drnpfdxfgd.dll
FileDelete %WINDIR%\vbgtorfd.dll
FileDelete %WINDIR%\dwnrpofk.dll
FileDelete %WINDIR%\qvdntlmw.dll
FileDelete %WINDIR%\winsystem.exe

FileDelete %SYSTEMDRIVE%\installer_abr.exe
FileDelete %SYSTEMDRIVE%\77002808_sub.exe
FileDelete %SYSTEMDRIVE%\SystemDefender_Installer.exe
FileDelete %SYSTEMDRIVE%\ADCFreeInstaller.exe

FolderClear %PROGRAMFILES%\MyWaySA
FolderDelete %PROGRAMFILES%\MyWaySA
FolderClear %WINDIR%\privacy_danger
FolderDelete %WINDIR%\privacy_danger
FolderClear %PROGRAMFILES%\XP Antivirus
FolderDelete %PROGRAMFILES%\XP Antivirus
FolderClear %PROGRAMFILES%\WhenUSearch
FolderDelete %PROGRAMFILES%\WhenUSearch
FolderClear %ALLUSERSAPPDATA%\vgnyfqza
FolderDelete %ALLUSERSAPPDATA%\vgnyfqza

FileDelete %DESKTOP%\Error Cleaner.url
FileDelete %DESKTOP%\Privacy Protector.url
FileDelete %DESKTOP%\Spyware&Malware Protection.url
FileDelete %FAVORITES%\Error Cleaner.url
FileDelete %FAVORITES%\Privacy Protector.url
FileDelete %FAVORITES%\Spyware&Malware Protection.url
FileDelete %PROGRAMFILES%\antiviirus.exe
FileDelete %SYSDIR%\FeedMerge.dll


# Start Removing Security Toolbar Files & Folders

FolderClear %PROGRAMFILES%\security toolbar
FolderDelete %PROGRAMFILES%\security toolbar

FileDelete %PROGRAMFILES%\hammer.dll

FileDelete %ALLUSERSSTARTMENU%\live safety center.lnk
FileDelete %ALLUSERSSTARTMENU%\online security guide.lnk
FileDelete %STARTMENU%\live safety center.lnk
FileDelete %STARTMENU%\online security guide.lnk
FileDelete %ALLUSERSDESKTOP%\live safety center.lnk
FileDelete %ALLUSERSDESKTOP%\online security guide.lnk
FileDelete %DESKTOP%\live safety center.lnk
FileDelete %DESKTOP%\online security guide.lnk
FileDelete %FAVORITES%\online security guide.lnk


# Start Removing FizzleWizzle/CoolBar Files & Folders

FileDelete %SYSDIR%\coolbar.dll
FileDelete %SYSDIR%\dist001.exe
FileDelete %WINDIR%\Downloaded Program Files\toolbar.dll

FolderClear %SYSTEMDRIVE%\sysfwb
FolderDelete %SYSTEMDRIVE%\sysfwb
FolderClear %PROGRAMFILES%\fwbartemp
FolderDelete %PROGRAMFILES%\fwbartemp
FolderClear %SYSDIR%\searchbar
FolderDelete %SYSDIR%\searchbar
FolderClear %WINDIR%\syas\coolbar
FolderDelete %WINDIR%\syas\coolbar


# Start Removing NetSky Files & Folders

FileDelete %WINDIR%\Jammer2nd.exe
FileDelete %WINDIR%\csrss.exe
FileDelete %WINDIR%\wserver.exe
FileDelete %WINDIR%\MsnMsgrs.exe
FileDelete %WINDIR%\winlogon.exe
FileDelete %WINDIR%\svchost.exe
FileDelete %WINDIR%\avpguard.exe
FileDelete %WINDIR%\AVBgle.exe
FileDelete %WINDIR%\FVProtect.exe
FileDelete %WINDIR%\SysMonXP.exe
FileDelete %WINDIR%\PandaAVEngine.exe
FileDelete %WINDIR%\EasyAV.exe
FileDelete %WINDIR%\VisualGuard.exe
FileDelete %WINDIR%\FirewallSvr.exe
FileDelete %WINDIR%\EasyAV.exe
FileDelete %WINDIR%\EastAV.exe

FileDelete %WINDIR%\pk_zip_alg.log
FileDelete %WINDIR%\pk_zip1.log
FileDelete %WINDIR%&#
  • 0

#8
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
found the bfu.exe
went back into my computer and saw the bfu.exe with a spiky ball next to it. for some reason i thought it should be on my desktop... i am going to proceed.
-jill
  • 0

#9
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
i do not have the adware.bfu in the folder icon i selected. i believe that is what was on my desktop. how can i get it into that folder.
  • 0

#10
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
i have dragged the adware.bfu.txt text document, onto the scriptline. is this okay to execute now?
  • 0

Advertisements


#11
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
RatHat, i don't have an Adware.bfu
i do have a adware.bfu.txt
text document
59 KB

can i still execute this file since i dragged it onto the execute scriptline? its a text file, is that the same thing? should i start all over?
will wait to hear from you.
-jill
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Jill,

Right click on adware.bfu.txt and choose rename.

Rename it to Adware.bfu

Now open the folder which contains the BFU.exe program (spiky ball), and drag the adware.bfu file into that folder.

Double click on BFU.exe and carry out the fix as described above. Let me know if you have any more problems.

Regards,
RatHat
  • 0

#13
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
woops! i went ahead without renaming the file because i got your last post late-hope that didn't mess things up. it has gone smoothly so far. shall i still rename the file?

i am working on combofix. they want me to disable anti-virus malware before performing a scan. i think the only protection i have on this pc is spy sweeper. do i need to disable that? if so how?
-jill
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Jill,

I would prefer if you could run BFU again after renaming the file Adware.bfu, just to make sure you had it right.

Now to disable Spy Sweeper, do this:

Open it click >Options over to the left, then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Regards,
RatHat
  • 0

#15
jillsusan

jillsusan

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 145 posts
okay i will do the BFU over. does that mean i should repeat the atf cleaner and the malwarebytes anti malware also?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP