Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hzuctimlnia.exe / Spyware.BetterInternet[RESOLVED]


  • This topic is locked This topic is locked

#1
Siberia

Siberia

    New Member

  • Member
  • Pip
  • 7 posts
Hi, I've downloaded Ewido, but I get a pop-up about this Hzuctimlnia.exe file (which Ewido says is associated with Spyware.betterinternet) about every 2 minutes when I am online. I have gone through all the steps (adaware, cwshredder, spybot s&d, and updated windows) but it won't go away.
Thanks for your help-hope I did this right...

Here is the Hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 11:48:36 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115354343203
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Lets see if this will finds any hidden Trojanís http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate them
Run a full scan with ewide save the log when the scan has finnished.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\Bolger.dll (file missing)
C:\WINDOWS\Nail.exe
Exit Explorer.Reboot as normal.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WINDOWS\Bolger.dll
C:\WINDOWS\Nail.exe

Reboot as normal

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
Siberia

Siberia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi again,
Thanks for al your help. I did everything you said, except the Killbox program couldn't find the file C:\WINDOWS\Bolder.dll. For what it's worth, Ewido is still popping up constantly with my pal hzuctimlnia.exe every few seconds, with a few auroreco.exe's mixed in. It also looks like all the files I deleted with HJT are back. I logged on in safe mode as owner--should it have been Admin instead? Could that be causing this problem? Here are the logs:

PANDA:

Incident Status Location

Adware:Adware/nCase No disinfected C:\WINDOWS\msbb*
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.???
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\WinTools
Adware:Adware/AdDestroyer No disinfected C:\Program Files\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\All Users\Application Data\VBouncer
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\System32\246765-ventura-hot.exe
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\io2uns.exe
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/Beginto No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\nail.exe
Adware:Adware/Pacimedia No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-21e7f006-69631062.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4198520f-5f0bda5e.zip[Dummy.class]
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied.inf]
Adware:Adware/Transponder No disinfected C:\RECYCLER\S-1-5-21-1097220513-1730271511-700863191-1003\Dc1.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Virus:Trj/Downloader.AEE Disinfected C:\WINDOWS\Downloaded Program Files\counter.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\istactivex.inf
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\io2uns.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb.log
Adware:Adware/nCase No disinfected C:\WINDOWS\msbbau.dat
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb_kyf.dat
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\system32\246765-ventura-hot.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\cxtpls_loader.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\system32\dist001.exe
HJT


Logfile of HijackThis v1.99.1
Scan saved at 9:11:01 PM, on 5/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115354343203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

Now we are seeing the malware hidden on your system.

Reboot into Safe Mode: Click here if you don't know how to do this.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\msbb*
C:\WINDOWS\Downloaded Program Files\istactivex.exe
C:\Documents and Settings\All Users\Favorites\AdultGambling.url
C:\WINDOWS\bsx32
C:\Program Files\cxtpls
C:\Program Files\Common Files\WinTools
C:\Program Files\AdDestroyer
C:\Documents and Settings\All Users\Application Data\VBouncer
C:\eied_s7.cab
C:\WINDOWS\System32\246765-ventura-hot.exe
C:\WINDOWS\io2uns.exe
C:\Program Files\FwBarTemp
C:\WINDOWS\wt
C:\WINDOWS\nail.exe
C:\Documents and Settings\All Users\Favorites\AdultGambling.url
C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied.inf]
C:\RECYCLER\S-1-5-21-1097220513-1730271511-700863191-1003\Dc1.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\istactivex.inf
C:\WINDOWS\io2uns.exe
C:\WINDOWS\msbb.log
C:\WINDOWS\msbbau.dat
C:\WINDOWS\msbb_kyf.dat
C:\WINDOWS\system32\246765-ventura-hot.exe

C:\WINDOWS\system32\cxtpls_loader.exe

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
Siberia

Siberia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,
Once again thanks. It looks like this cleaned up alot of junk, but Nail.exe is still there. After I put all the files in Killbox and rebooted, I got a message that Windows could not find the file C:\Windows\Nail.exe. It's still there, though. Here are the log files:

PANDA:


Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\WinTools
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\All Users\Application Data\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\All Users\Application Data\VBouncer
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/Beginto No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
HJT:

s v1.99.1
Scan saved at 12:34:21 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115354343203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Siberia, 09 May 2005 - 01:39 PM.

  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

As you can see the following are folder, killbox can not delete folder's so we have to do it all the exe file have been delete.

Reboot into Safe Mode: Click here if you don't know how to do this.

Using Windows Explorer delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\Program Files\Common Files\WinTools<--Delete this folder
C:\Program Files\FwBarTemp<--Delete this folder
C:\WINDOWS\wt<--Delete this folder
C:\WINDOWS\bsx32<--Delete this folder
C:\Documents and Settings\All Users\Application Data\AdDestroyer<--Delete this folder
C:\Documents and Settings\All Users\Application Data\VBouncer<--Delete this folder
C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url<--Delete this url
(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

Run disk cleanup

Reboot as normal

Scan with Panda Post the scan.log and a new HJT.log

Kc :tazz:
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

Please post a new HJT.log


Kc :tazz:

Edited by thatman, 11 May 2005 - 09:40 AM.

  • 0

#8
Siberia

Siberia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,
Thanks, here are the logs:


Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\WinTools
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\All Users\Application Data\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\All Users\Application Data\VBouncer
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/Beginto No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url

gfile of HijackThis v1.99.1
Scan saved at 8:17:33 AM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\Heather\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115354343203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

This log was done in safemode, please post a log in normal mode

Thanks Kc :tazz:
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thatman

C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url<--Delete the url from your Favorites
C:\WINDOWS\bsx32<--Delete the whole folder
C:\WINDOWS\wt<--Delete the whole folder
C:\Program Files\Common Files\WinTools<--Delete the whole folder
C:\Documents and Settings\All Users\Application Data\AdDestroyer<--Delete the whole folder
C:\Documents and Settings\All Users\Application Data\[b]VBouncer
<--Delete the whole folder
C:\Program Files\[b]FwBarTemp
<--Delete the whole folder

Kc :tazz:
  • 0

Advertisements


#11
Siberia

Siberia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Thatman,
Sorry about that last. I think I mixed up the Activescan logs, here is the latest:
Thanks much for all your help.

Panda:

Incident Status Location

Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Logfile of HijackThis v1.99.1
Scan saved at 11:24:55 AM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Documents and Settings\Owner\Desktop\Heather\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115354343203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

Please read through the instructions before you start (you may want to print this out).

Read this Demystifying the Windows Registry

Most of the following registery entry will have been removed.you may find a number of reg keys for this Searchcentrix program but they are harmless and are just left overs.
Useless with no program to run.

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\win_upd2.exe, delete it
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lpvcjpwg, delete
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\spoolsvv, delete

HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-96f7-eb6db99aa92e}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19dab2d}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19dce2e}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-d0ea-f16db186fa7d}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
HKEY_CLASSES_ROOT\clsid\{c258eaa1-f9fe-491e-b8ff-ce9af7a7aff5}
HKEY_CLASSES_ROOT\clsid\{c431bf1e-9e71-4bb6-9c4e-8496d158db1f}
HKEY_CLASSES_ROOT\clsid\{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
HKEY_CLASSES_ROOT\interface\{7bd45240-7166-4768-a845-8ce375c5e096}
HKEY_CLASSES_ROOT\interface\{831975b3-13a0-4da4-aa6f-6c427175c30e}
HKEY_CLASSES_ROOT\interface\{9f9d3d1f-e697-4a86-90c7-58cecf6a2634}
HKEY_CLASSES_ROOT\interface\{c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
HKEY_CLASSES_ROOT\typelib\{47d616a1-b588-45d1-ad71-33ac15fb6940}
HKEY_CLASSES_ROOT\typelib\{48977f6e-4120-4f88-8c4b-a6399bd0dd08}
HKEY_CLASSES_ROOT\typelib\{d1020ad1-3754-4c54-bf4d-ea01652ec4be}
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\win_upd2.exe
HKEY_CURRENT_USER\software\vb and vba program settings\mygeek\settings\keyword
HKEY_CURRENT_USER\software\vb and vba program settings\s_girl\thread\threads
HKEY_LOCAL_MACHINE\software\classes\barbho.class1
HKEY_LOCAL_MACHINE\software\classes\barbho.class1\clsid
HKEY_LOCAL_MACHINE\software\classes\clsid\{3646c2bd-3554-49ca-8125-44deefb881de}
HKEY_LOCAL_MACHINE\software\classes\clsid\{3f4d4f88-0198-4921-b630-957f3eb814e0}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-96f7-eb6db99aa92e}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19dab2d}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-c0fb-ef60b19dce2e}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-d0ea-f16db186fa7d}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
HKEY_LOCAL_MACHINE\software\classes\clsid\{c258eaa1-f9fe-491e-b8ff-ce9af7a7aff5}
HKEY_LOCAL_MACHINE\software\classes\clsid\{c431bf1e-9e71-4bb6-9c4e-8496d158db1f}
HKEY_LOCAL_MACHINE\software\classes\clsid\{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
HKEY_LOCAL_MACHINE\software\classes\gssomatic.gssomatic
HKEY_LOCAL_MACHINE\software\classes\interface\{7bd45240-7166-4768-a845-8ce375c5e096}
HKEY_LOCAL_MACHINE\software\classes\interface\{831975b3-13a0-4da4-aa6f-6c427175c30e}
HKEY_LOCAL_MACHINE\software\classes\interface\{9f9d3d1f-e697-4a86-90c7-58cecf6a2634}
HKEY_LOCAL_MACHINE\software\classes\mygeek.com
HKEY_LOCAL_MACHINE\software\classes\mygeek.com\clsid
HKEY_LOCAL_MACHINE\software\classes\pqhelper.pqhelper
HKEY_LOCAL_MACHINE\software\classes\s4helper.s4helper
HKEY_LOCAL_MACHINE\software\classes\seantb.seantb
HKEY_LOCAL_MACHINE\software\classes\somatic.somatic
HKEY_LOCAL_MACHINE\software\classes\spoolsvv.class1
HKEY_LOCAL_MACHINE\software\classes\typelib\{47d616a1-b588-45d1-ad71-33ac15fb6940}
HKEY_LOCAL_MACHINE\software\classes\typelib\{48977f6e-4120-4f88-8c4b-a6399bd0dd08}
HKEY_LOCAL_MACHINE\software\classes\typelib\{d1020ad1-3754-4c54-bf4d-ea01652ec4be}
HKEY_LOCAL_MACHINE\software\classes\webalize.webalize
HKEY_LOCAL_MACHINE\software\classes\webalize.webalize\clsid
HKEY_LOCAL_MACHINE\software\classes\wzhelper.wzhelper
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{4e7bd74f-2b8d-469e-96f7-eb6db99aa92e}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{4e7bd74f-2b8d-469e-d0ea-f16db186fa7d}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lpvcjpwg
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\spoolsvv
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\displayversion
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\inno setup: app path
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\inno setup: icon group
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\inno setup: setup version
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\inno setup: user
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\expand search_is1\uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\displayversion
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\inno setup: app path
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\inno setup: icon group
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\inno setup: setup version
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\inno setup: user
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic toolbar_is1\uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\displayversion
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\inno setup: app path
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\inno setup: icon group
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\inno setup: setup version
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\inno setup: user
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\search-o-matic_is1\uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\displayversion
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\inno setup: app path
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\inno setup: icon group
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\inno setup: setup version
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\inno setup: user
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize search utility_is1\uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\displayversion
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\inno setup: app path
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\inno setup: icon group
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\inno setup: setup version
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\inno setup: user
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webalize_is1\uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\displayversion
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\inno setup: app path
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\inno setup: icon group
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\inno setup: setup version
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\inno setup: user
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windirect_is1\uninstallstring

Kc :tazz:
  • 0

#13
Siberia

Siberia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Thatman,
It seems weird, but I didn't find a single one of those files in my registry (I used reglite to search after attempting to search manually). Any advice?
Thanks
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Siberia

Congratulations! Your system is CLEAN ;)

Download the Microsoft Antispyware Free

ewido Trojanís removal tool free

SpyBot Search & Destroy v1.3

Winpatrol Free

Ad-Aware SE Personal Edition Free

Turn of system restore
Disabling or enabling Windows XP System Restore

Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats. 8)

Kc :tazz:
  • 0

#15
Siberia

Siberia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
That's awesome-NO pop-ups! Thanks for all your help.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP