Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cyberlog x - cant remove

Started by Bitburger1 , May 31 2008 08:32 AM

  • Please log in to reply

#1
Bitburger1
Posted 31 May 2008 - 08:32 AM

Bitburger1

    Member

  • Member
  • PipPip
  • 13 posts
Need your help. My son has let his children get on the internet with his Dell Latitude D600 and now has Cyberlog X plus other infections. I have gone to many sites and read how to removed. Used Smith Fraud Fix 2.32.3 and it hangs up at the Disk Clean up. Left it there for over an hour and only goes to scanning compressed files. I have Installed Trend Micro Pcillin on the computer but cannot connect to Internet so cannot get current updates. I am able to get to the internet but Trend Micro says it cannot connect.
Have disable system restore. Tried Ad away, Smith Fraud, and scanning with Trend micro. Get a warning about waol.exe also. I am having to copy log files to Jump drive to post them here. Attached is Smith Fraud Log and Hijack this log,

Any help will be greatly appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:20 AM, on 5/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\vbpdtvdp.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\vbpdtvdp.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\System32\hgGxXrSj.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\System32\actmoviez.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\System32\actmoviez.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\SMBOLS~1\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\6825.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\System32\actmoviez.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\System32\actmoviez.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1055748701495
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://xo.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mail.inthosts.net,algx.com,apps.inthosts.net,corp.inthosts.net,internal.nextlink
.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mail.inthosts.net,algx.com,apps.inthosts.net,corp.inthosts.net,internal.nextlink
.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mail.inthosts.net,algx.com,apps.inthosts.net,corp.inthosts.net,internal.nextlink
.net
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8624 bytes

SmitFraudFix v2.323

Scan done at 7:42:28.92, Fri 05/30/2003
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\accesss.exe Deleted
C:\WINDOWS\astctl32.ocx Deleted
C:\WINDOWS\avpcc.dll Deleted
C:\WINDOWS\clrssn.exe Deleted
C:\WINDOWS\cpan.dll Deleted
C:\WINDOWS\iexplorer.exe Deleted
C:\WINDOWS\loader.exe Deleted
C:\WINDOWS\mtwirl32.dll Deleted
C:\WINDOWS\notepad32.exe Deleted
C:\WINDOWS\olehelp.exe Deleted
C:\WINDOWS\systeem.exe Deleted
C:\WINDOWS\systemcritical.exe Deleted
C:\WINDOWS\time.exe Deleted
C:\WINDOWS\users32.exe Deleted
C:\WINDOWS\waol.exe Deleted
C:\WINDOWS\win32e.exe Deleted
C:\WINDOWS\win64.exe Deleted
C:\WINDOWS\winajbm.dll Deleted
C:\WINDOWS\window.exe Deleted
C:\WINDOWS\winmgnt.exe Deleted
C:\WINDOWS\x.exe Deleted
C:\WINDOWS\xplugin.dll Deleted
C:\WINDOWS\xxxvideo.hta Deleted
C:\WINDOWS\y.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{329283C0-FB00-4B03-9862-1C8F1347C41D}: DhcpNameServer=208.180.42.100 208.180.42.68
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45F6E23C-88CA-46AA-90C2-1C2AB2CB15E6}: DhcpNameServer=4.2.2.4 4.2.2.5 4.2.2.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{329283C0-FB00-4B03-9862-1C8F1347C41D}: DhcpNameServer=208.180.42.100 208.180.42.68
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45F6E23C-88CA-46AA-90C2-1C2AB2CB15E6}: DhcpNameServer=4.2.2.4 4.2.2.5 4.2.2.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{329283C0-FB00-4B03-9862-1C8F1347C41D}: DhcpNameServer=208.180.42.100 208.180.42.68
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45F6E23C-88CA-46AA-90C2-1C2AB2CB15E6}: DhcpNameServer=4.2.2.4 4.2.2.5 4.2.2.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\iexplorer.exe Deleted


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements

#2
OldTimer
Posted 31 May 2008 - 09:01 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello Bitburger1 and welcome to G2G. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
  • 0

#3
Bitburger1
Posted 31 May 2008 - 09:42 AM

Bitburger1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Was able to run AFT cleaner. Tried OTSscanit and it will not function. Tried it 3 times. It asked me to run as a administration then clicked Ok and then nothing. Tried running it off my desktop and off the Lexar drive. Nothing. I download once and then again to make sure I did not have a corrupted file.

Bitburger1
  • 0

#4
OldTimer
Posted 31 May 2008 - 09:51 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi Bitburger1. What does it do exactly? What is the message in the statusbar when it is running?

Cheers.

OT
  • 0

#5
Bitburger1
Posted 31 May 2008 - 09:55 AM

Bitburger1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I can double click on it an nothing happens. I right click and run as, it come back and asks which user account do I want to run this program. I click current user- administrator and have run it with protect computer checked and unchecked and then click ok and nothing happed except the popups come up.

Bitburger1
  • 0

#6
OldTimer
Posted 31 May 2008 - 10:04 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi Bitburger1. I have never heard of that. Turn-off/disable any security programs that are running. Otherwise run it in Safe Mode.

Cheers.

OT
  • 0

#7
Bitburger1
Posted 31 May 2008 - 11:03 AM

Bitburger1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I am going out of my mind on this. I have tried in in the safe mode. Check bytes of file. Loaded in on my good computer and it work. Copied on a CD RW and transfered to laptop. Sill will not open. Tried it with the Lexar and does the same.
catchme.exe will open but otsacnit will not open like it does on my computer.

Bitburger 1
  • 0

#8
OldTimer
Posted 31 May 2008 - 11:33 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi Bitburger1. It could be that the malware is targeting OTScanIt.exe. Try renaming it to something else like x.exe or something.

Cheers.

OT
  • 0

#9
Bitburger1
Posted 31 May 2008 - 12:55 PM

Bitburger1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
That didnt work but Adware away finally contacted me after 4 days with the following fix in the attachement. It might help you. It clean everything up.
Sorry that I took up your time.
Also I had to make a new account Bitburger 1 to contact you. My account Bitburger would let me sign in but post nothing and could not down load anything. I sent messages and no one would contact me.

Adware Away Script
[FILE]
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\vbpdtvdp.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\PROGRA~1\COMMON~1\SMBOLS~1\dllhost.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\6825.exe
C:\WINDOWS\System32\actmoviez.exe
C:\WINDOWS\System32\vbpdtvdp.exe
C:\WINDOWS\nldfmtapowe.dll
C:\WINDOWS\oddops.dll
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\System32\hgGxXrSj.dll
C:\WINDOWS\System32\mlJBTlMc.dll
C:\WINDOWS\stfngdvw.dll
C:\WINDOWS\system32\fccbxVNh.dll
C:\WINDOWS\system32\mrcmgr.exe
C:\WINDOWS\system32\yygkobdn.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\ddcApOgE.dll
C:\WINDOWS\system32\yayxxwtS.dll
C:\WINDOWS\system32\prxsmr.dll
C:\WINDOWS\system32\hmlphl.dll
[FILE]
[REGVALUE]
Software\Microsoft\Windows\CurrentVersion\Run==IEUpdate
Software\Microsoft\Windows\CurrentVersion\Run==autoload
Software\Microsoft\Windows\CurrentVersion\Run==Host Process
Software\Microsoft\Windows\CurrentVersion\Run==BM3fa34ff9
Software\Microsoft\Windows\CurrentVersion\Run==dtldlttt
Software\Microsoft\Windows\CurrentVersion\Run==antiviirus
Software\Microsoft\Windows\CurrentVersion\Run==DriveCleaner Freeware
Software\Microsoft\Windows\CurrentVersion\Run==BM173b00fe
Software\Microsoft\Windows\CurrentVersion\Run==WinPatrol
Software\Microsoft\Windows\CurrentVersion\Run==hpu
Software\Microsoft\Windows\CurrentVersion\RunServices==IEUpdate
Software\Microsoft\Windows\CurrentVersion\RunServices==jfyhybdf
Software\Microsoft\Windows\CurrentVersion\RunOnce==RemoveInstallPath
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run==CiC20vW5Vr
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run==some
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler=={91316323-2ad5-4794-9589-52a2eaa60a68}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad==zip
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad==???
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad==zip
Software\Microsoft\Internet Explorer\Toolbar=={D593DE91-7B41-45C2-830E-E9A99AB142AA}
Software\Microsoft\Internet Explorer\Toolbar=={47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}
Software\Microsoft\Internet Explorer\Toolbar=={47833539-D0C5-4125-9FA8-0819E2EAAC93}
Software\Microsoft\Internet Explorer\Toolbar=={9C590067-8A6A-4db6-B052-069283790B04}
Software\Microsoft\Internet Explorer\Toolbar=={71AAABE5-1F0F-11d7-BD6F-004854603DCE}
Software\Microsoft\Internet Explorer\Toolbar=={D554D8FC-B36D-4BB4-93DB-4A3394D505E3}
Software\Microsoft\Internet Explorer\Toolbar=={8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows==AppInit_Dlls
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon==system
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={ABC70703-32AF-11d4-90C4-D483A70F4825}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={747E722C-CB46-4A9D-BDFE-192AAD5099B1}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={B6B69199-ACA1-4CC4-A7E3-3DC9AEC7B947}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={32683183-48a0-441b-a342-7c2a440a9478}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={0DF44EAA-FF21-4412-828E-260A8728E7F1}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={653DCCC2-13DB-45B2-A389-427885776CFE}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={124597D8-850A-41AE-849C-017A4FA99CA2}
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved=={653DCCC2-13DB-45B2-A389-427885776CFE}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks=={32341E7E-C319-46DE-91D0-E30BB1A3CABA}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks=={EDB0E980-90BD-11D4-8599-0008C7D3B6F8}
[REGVALUE]
[REGKEY]
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer==Run
SOFTWARE\Microsoft\Internet Explorer\Explorer Bars=={1212BCB8-67DD-475e-8025-9D2198FB8F61}
SOFTWARE\Microsoft\Internet Explorer\Explorer Bars=={15F56B17-A0F8-4288-A24C-0F913B34D67B}
SOFTWARE\Classes\CLSID={c44953ec-9060-4a58-acf0-f8df55b02c79}
SYSTEM\CurrentControlSet\Services==a6zle7iv
SYSTEM\CurrentControlSet\Services==DomainService
SYSTEM\CurrentControlSet\Services==ISEXEng
[REGKEY]
[!!!FI!_AUTHENTICATIONPACKAGES]
[BHO]
{00110011-4b0b-44d5-9718-90c88817369b}
{086ae192-23a6-48d6-96ec-715f53797e85}
{150fa160-130d-451f-b863-b655061432ba}
{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}
{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}
{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}
{2d38a51a-23c9-48a1-a33c-48675aa2b494}
{2e9caff6-30c7-4208-8807-e79d4ec6f806}
{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}
{5321e378-ffad-4999-8c62-03ca8155f0b3}
{587dbf2d-9145-4c9e-92c2-1f953da73773}
{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}
{79369d5c-2903-4b7a-ade2-d5e0dee14d24}
{799a370d-5993-4887-9df7-0a4756a77d00}
{B1A64443-6FCA-41CE-8D51-5F8991257555}
{b847676d-72ac-4393-bfff-43a1eb979352}
{bc97b254-b2b9-4d40-971d-78e0978f5f26}
{cf021f40-3e14-23a5-cba2-717765721306}
{e2ddf680-9905-4dee-8c64-0a5de7fe133c}
{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}
{e7afff2a-1b57-49c7-bf6b-e5123394c970}
{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
{fd9bc004-8331-4457-b830-4759ff704c22}
{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}
[BHO]
  • 0

#10
OldTimer
Posted 31 May 2008 - 01:22 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi Bitburger1. I've never seen a script like that for AdAware. I haven't used it in quite some time so it might be something new. If that took care of everything then you should be good to go :)

Cheers and Happy Computing!

OT
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP