I copied and pasted the files into killbox one by one. How do I know if I'm rid of them?
Please help - aurora and more, tried everything![RESOLVED]
Started by
mondoboffo
, May 10 2005 07:41 PM
#16
Posted 18 May 2005 - 01:44 PM
I copied and pasted the files into killbox one by one. How do I know if I'm rid of them?
#17
Posted 18 May 2005 - 01:57 PM
Did you do them one by one and use the "Standard File Kill"
Or did you use "Delete on Reboot" and do that five times?
All these:
c:\systemvolumeinformation\_restore are in your Restore Points and will remain there as long as you don't use System Restore.
Can MSAS remove the others?
Regards,
Or did you use "Delete on Reboot" and do that five times?
All these:
c:\systemvolumeinformation\_restore are in your Restore Points and will remain there as long as you don't use System Restore.
Can MSAS remove the others?
Regards,
#18
Posted 18 May 2005 - 02:03 PM
Metallica,
I did them one by one with delete on reboot clicking the x with each new entry. I did not reboot 5 times....only once.
Did I do it wrong? How will I know if they're still lurking in my computer?
Thanks!
I did them one by one with delete on reboot clicking the x with each new entry. I did not reboot 5 times....only once.
Did I do it wrong? How will I know if they're still lurking in my computer?
Thanks!
#19
Posted 18 May 2005 - 02:04 PM
Sorry,
MSAS said it removed the three I mentioned.
MSAS said it removed the three I mentioned.
#20
Posted 18 May 2005 - 02:25 PM
Metallica,
I just ran a Spybot scan that turned up the following HotSearchBar stuff:
HotSearchBar: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\drelkge789AEF5
HotSearchBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\drelkge789AEF5
When I tried to fix them, Spybot told me it could not because files were in use and will do a scan upon reboot.
What do you think?
Thanks!
I just ran a Spybot scan that turned up the following HotSearchBar stuff:
HotSearchBar: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\drelkge789AEF5
HotSearchBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\drelkge789AEF5
When I tried to fix them, Spybot told me it could not because files were in use and will do a scan upon reboot.
What do you think?
Thanks!
#21
Posted 18 May 2005 - 02:37 PM
Metallica,
FYI, I rebooted and did another Spybot scan which could not remove the HotSearchBar stuff.
Bummer!
FYI, I rebooted and did another Spybot scan which could not remove the HotSearchBar stuff.
Bummer!
#22
Posted 18 May 2005 - 02:44 PM
Please don't go paranoid on me.
Is anything actually bothering you?
Popup ads, hijacked or alarming traffic?
If Spybot can't get rid of them because they are in use, rerun the scan in safe mode.
Regards,
Is anything actually bothering you?
Popup ads, hijacked or alarming traffic?
If Spybot can't get rid of them because they are in use, rerun the scan in safe mode.
Regards,
#23
Posted 18 May 2005 - 02:49 PM
Metallica,
Sorry...there really are no more pop-ups, hijacks, etc.
Does that mean I'm ok even though these bad boys show up durng the scans?
Thanks, Doctor Metallica!
Sorry...there really are no more pop-ups, hijacks, etc.
Does that mean I'm ok even though these bad boys show up durng the scans?
Thanks, Doctor Metallica!
#24
Posted 18 May 2005 - 02:52 PM
Metallica,
I just did a safe mode scan - it could not fix the HotSearchBar stuff.
I just did a safe mode scan - it could not fix the HotSearchBar stuff.
#25
Posted 19 May 2005 - 12:54 AM
One thing to remember is that different scanners have different ways of dealing with spyware and even if the malware has been disabled, other scanners will find remains of the infection that are harmless by themselves.
On the other hand they should be able to get rid of them.
On the other hand they should be able to get rid of them.
- Download the Registry Search Tool.
- Unzip the contents of RegSrch.zip to a convenient location.
- Double-click on RegSrch.vbs.
- If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
- In the "Enter search string (case insensitive) and click OK..." box paste this string:
- drelkge789AEF5
- Click "OK" to search the registry for that string.
- Wait for a few minutes while it completes the search.
- Click "OK" to open the results in WordPad.
- Copy and paste the entire results into your next post.
#26
Posted 19 May 2005 - 06:15 AM
Metallica,
Again, thanks for the explanation - this stuff absolutely baffles me.
Here is the Registry search result you requested.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "drelkge789AEF5" 5/19/2005 8:09:15 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\eeennn]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\kkws]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\ppops]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\reel]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\ssites]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\eeennn]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\kkws]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\ppops]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\reel]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\ssites]
Again, thanks for the explanation - this stuff absolutely baffles me.
Here is the Registry search result you requested.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "drelkge789AEF5" 5/19/2005 8:09:15 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\eeennn]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\kkws]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\ppops]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\reel]
[HKEY_USERS\.DEFAULT\Software\drelkge789AEF5\ssites]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\eeennn]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\kkws]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\ppops]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\reel]
[HKEY_USERS\S-1-5-18\Software\drelkge789AEF5\ssites]
#27
Posted 19 May 2005 - 06:25 AM
Good. We should be able to get rid of those in safe mode.
Copy the part in bold below into notepad and save it as remdrelkge.reg
REGEDIT4
[-HKEY_USERS\.DEFAULT\Software\drelkge789AEF5]
[-HKEY_USERS\S-1-5-18\Software\drelkge789AEF5]
Reboot into safe mode and doubleclick that file. Confirm you want to merge it with the registry.
NOTE: you probably have to have Administrator rights to make this work.
Regards,
Copy the part in bold below into notepad and save it as remdrelkge.reg
REGEDIT4
[-HKEY_USERS\.DEFAULT\Software\drelkge789AEF5]
[-HKEY_USERS\S-1-5-18\Software\drelkge789AEF5]
Reboot into safe mode and doubleclick that file. Confirm you want to merge it with the registry.
NOTE: you probably have to have Administrator rights to make this work.
Regards,
#28
Posted 19 May 2005 - 07:05 AM
Metallica,
Registry project completed as instructed.
What did I just do?
Anything else I should do?
Thanks!
Registry project completed as instructed.
What did I just do?
Anything else I should do?
Thanks!
#29
Posted 19 May 2005 - 07:34 AM
Can you repeat the regsearch.vbs to see if we actually succeeded in removing those two subkeys?
Regards,
Regards,
#30
Posted 19 May 2005 - 07:45 AM
Dr. Metallica,
Great news (I think)!
"No instances of drelkge789AEF5 found"
Thanks
Great news (I think)!
"No instances of drelkge789AEF5 found"
Thanks
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users