Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Crazy Popups...AURORA and e.rn11.com


  • Please log in to reply

#16
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

Please read through the instructions before you start (you may want to print this out).

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
Click on Fix Checked when finished and exit HijackThis.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
SaveNow Windows Registry
C:\Program Files\FwBarTemp
C:\Documents and Settings\Devi Phat\Favorites\Finances & Business
MyWebSearch Windows Registry


Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

Advertisements


#17
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello

I have the HJT Log. I deleted two of the files in Killbox.

I don't know how to find the other two in Windows Registry. Savenow and MyWebSearch, because I do not have a full location. How do I do that?

I will run Panda after I know how to remove those two files.

Thanks!

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 10:04:38 PM, on 05/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Devi Phat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender free edition\bdnagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=6809
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115477304667
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
  • 0

#18
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

Please read through the instructions before you start (you may want to print this out).

Read this Demystifying the Windows Registry

Most of the following registery entry will have been removed.you may find a number of reg keys for this savenow program but they are harmless and are just left overs.
Useless with no program to run.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete the ‘SaveNow’, ‘WhenUSave’, ‘WhenUSearch’ or ‘VVSN’ values. Reboot and you should be able to delete the ‘SaveNow’, ‘Save’, ‘WhenUSearch’, ‘WhenUSearchWHSE’ or ‘VVSN’ folder inside ‘Program Files’.

To remove the ActiveX objects installed by the Download and Db variants, open the ‘Downloaded Program Files’ folder inside the Windows folder, and delete the SaveNow object. The name of this is ‘WhenUDownload’ in the Download variant, ‘FC327B3F-377B-4CB7-8B61-27CD69816BC3’ in the Db variant, and ‘E2F2B9D0-96B9-4B25-B90C-636ECB207D18’ in the WUInst variant.

HKEY_CLASSES_ROOT\clsid\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_CLASSES_ROOT\clsid\{e2f2b9d0-96b9-4b25-b90c-636ecb207d18}
HKEY_CLASSES_ROOT\clsid\{fee7fd53-3356-4d4d-8978-2c4ae3a7e109}
HKEY_CLASSES_ROOT\typelib\{e2f2b9d0-96b9-4b25-b90c-636ecb207d18}
HKEY_CLASSES_ROOT\typelib\{fc327b3f-377b-4cb7-8b61-27cd69816bc3}
HKEY_CURRENT_USER\software\whenu
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\savenow\changed
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\savenow\slowinfocache
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\whenusearch\changed
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\whenusearch\slowinfocache
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mirarsetup.exe\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mirarsetup.exe\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sndbmark.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sndbmark.dll || {fc327b3f-377b-4cb7-8b61-27cd69816bc3}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sndbmark.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/windmy.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/windmy.dll\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\savenow
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\remove at boot 902
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\winnt\downloaded program files\conflict.1\sndbmark.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\winnt\downloaded program files\sndbmark.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\gdivx
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\savenow
HKEY_LOCAL_MACHINE\software\whenu
HKEY_LOCAL_MACHINE\software\whenusave\partners\wusv
HKEY_USERS\.default\software\whenu

Kc :tazz:
  • 0

#19
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey there!

You are right. I can't find any program called SaveNow. I have been searching the registry and I found one file. I will work on removing the rest later this evening.

I wanted to know if you have a suggestion on a registry clean up program that could get rid of anything that is leftover. I found some on Downloads.com, but I was not sure which one to use.

I forgot to tell you I love the Cleanup Program I cleaned out 1.7 GB on my other computer!!!

Thanks

P.S. I ran Panda Soft and only the SaveNow file is left.
  • 0

#20
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

There will be some minor registry entries left behind by the uninstall, however these can be cleaned up by running SpyBot Search and Destroy or Ad-Aware SE or left alone.

RegScrubXP 3.25
Safely cleans junk out of the Windows 2000/XP system registry. All changes made to the registry are fully restorable to it's original condition. You can make an exclusion list of registry entries that RegScrubXP will not display as problems. You can sift through a list of file extensions, company names, run upon startup programs, Internet Explorer history, and uninstall programs to delete what you think is junk. Tweak the registry with the easy to use tweaker! Additional Tips & Tweaks help file with dozens of XP tweaks! Users love it! Click a button to download (in the background) the latest updates from the Lexun Freeware web site! RegScrubXP is freeware! Pass it around! Give it to your friends! Fred Langa liked it better than any of the other registry cleaners, including jv16 power tools! Featured on TechTV in Australia! People are using it all over the world!

RegCleaner
RegCleaner is an easy to use program. With RegCleaner you can easily get rid of those old and obsolete registry entries created by software that you have destroyed ages ago. And by easily, I mean easily. You don´t have to be any expert to use this program.

EasyCleaner
EasyCleaner is a small program which searches Windows' registry for entries that are pointing nowhere. Deleting these entries will speed your computer up. But as you already might know, deleting entries from registry can be dangerous for your computer, so it is wise to make a backup of your registry. On my computer, deleting entries which were pointing nowhere, speeded my computer up! EasyCleaner also lets you delete all kinds of unnecessary files like temps, backups etc. You can search for duplicate files and you can view some intresting info about your disk space usage! ToniArts may not be held accountable in any way if EasyCleaner affects your computer in a negative way. here's a list of some features:

Microsoft RegClean
2000 xp users read this first
RegClean analyzes Windows Registry keys that are stored in a common location in the Windows Registry. It finds keys that contain erroneous values, and after recording those entries in an UNDO.REG file, it removes them from the Windows Registry.
What RegClean Does:
RegClean analyzes Windows Registry keys that are stored in HKEY_CLASSES_ROOT in the Windows Registry. It finds keys that contain erroneous values, and after recording those entries in an Undo.reg file, it removes them from the Windows Registry.
What RegClean Does Not Do:
RegClean does not fix every known problem with the registry. It does not fix a corrupt registry; it is limited to fixing problems with normal Windows Registry entries located in HKEY_CLASSES_ROOT.
It is very possible that RegClean will not correct a problem that you have encountered. RegClean will leave any entries in the registry that it does not understand or that could possibly be correct.
The RegClean utility is no longer supported and has been removed from all Microsoft

WT RegCleanerXP
WT RegCleanerXP 1.0.1 - freeware utility for system regisry cleanup, that can increase the speed of your PC. Due to the friendly interface, use of the program will not be difficult even for inexperienced users.
Attention: do not forget to make a backup copy of the registry (on any case),by choosing the necessary item in the menu of the program.

TweakNow RegCleaner
The Registry is a heart and soul of any Windows system. It contains information that controls how your Windows appears and how it behaves. Most applications today use registry to store configuration and other important data. When you install an application, a new registry entries will be created. This entries will automatically be deleted when you uninstall the application. Unfortunately, it is not always work that way. Sometimes, you will find that some applications fail to remove their own registry entries. This entry will become obsolete.

After a long period, after installing and uninstalling a lot of applications, your Windows registry will contain a large number of obsolete entries

Kc :tazz:
  • 0

#21
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay!

It took a long time to run all this stuff. I ran RegCleaner and RegScrubXP and I removed some old registry stuff.

Then I ran Webroot Spy Sweeper that I have on the computer.

Spy Sweeper Log

Spy Sweeper by Webroot 052305

11:15 PM: Removal process initiated
11:15 PM: Quarantining: ABCSearch
11:15 PM: File: c:\documents and settings\all users\application data\msw\msw_uninstall.exe
11:15 PM: File: c:\documents and settings\all users\application data\msw\link.bin
11:15 PM: File: c:\documents and settings\all users\application data\msw\link.dat
11:15 PM: File: c:\documents and settings\all users\application data\msw\user.dat
11:15 PM: Folder: c:\documents and settings\all users\application data\msw
11:15 PM: Quarantining: EliteBar
11:15 PM: Registry: HKEY_CURRENT_USER\software\lq
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run||checkrun
11:15 PM: Registry: HKEY_CURRENT_USER\software\lq||at
11:15 PM: Registry: HKEY_CURRENT_USER\software\lq||ac
11:15 PM: Registry: HKEY_CURRENT_USER\software\lq||tm
11:15 PM: Registry: HKEY_CURRENT_USER\software\lq||ad
11:15 PM: Quarantining: EliteBar SearchMiracle Hijacker
11:15 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main||search page
11:15 PM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main||search bar
11:15 PM: Quarantining: Fizzlebar
11:15 PM: File: c:\windows\system32\cache\dist006.exe
11:15 PM: Quarantining: Trojan-Downloader-BookedSpace
11:15 PM: File: c:\windows\system32\cache\bs51-egihsg51-va.exe
11:15 PM: Quarantining: WebSearch Toolbar
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw||displayname
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw||publisher
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw||uninstallstring
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw||urlinfoabout
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies
11:15 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
11:15 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies||displayname
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies||uninstallstring
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies||publisher
11:15 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies||urlinfoabout
11:15 PM: Cleaning Traces
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies|| (urlinfoabout)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies|| (uninstallstring)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies|| (publisher)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies|| (displayname)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_esies
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw|| (urlinfoabout)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw|| (uninstallstring)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw|| (publisher)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw|| (displayname)
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wintools_adkw
11:15 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|| (checkrun)
11:15 PM: Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main|| (search page) || (http://www.microsoft...=ie&ar=iesearch)
11:15 PM: Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main|| (search bar) || (http://ie.search.msn...st/srchasst.htm)
11:15 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| ™
11:15 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (at)
11:15 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (ad)
11:15 PM: Removing registry: HKEY_CURRENT_USER\software\lq|| (ac)
11:15 PM: Removing registry: HKEY_CURRENT_USER\software\lq
11:15 PM: Removing file: c:\windows\system32\cache\bs51-egihsg51-va.exe
11:15 PM: Removing file: c:\windows\system32\cache\dist006.exe
11:15 PM: Removing file: c:\documents and settings\all users\application data\msw\user.dat
11:15 PM: Removing file: c:\documents and settings\all users\application data\msw\link.dat
11:15 PM: Removing file: c:\documents and settings\all users\application data\msw\link.bin
11:15 PM: Removing file: c:\documents and settings\all users\application data\msw\msw_uninstall.exe
11:15 PM: Folder: c:\documents and settings\all users\application data\msw
11:15 PM: Removal process completed. Elapsed time 00:00:14
6 items (26 traces) quarantined.


As you can see I got rid of some stuff. I have no clue where it keeps coming from and it changes between SaveNow and SearchTheWeb. I swear I am fighting a losing battle with this adware.

New HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 11:42:34 PM, on 05/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Devi Phat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender free edition\bdnagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=6809
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115477304667
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


That YAHOO R1 keeps coming back. It must be my homepage I have SBC DSL on this computer and YAHOO is the homepage. Because each time I delete it...it just comes back.

PANDA ACTIVE SCAN


Incident Status Location

Adware:Adware/SearchTheWeb No disinfected Windows Registry
There is the SearchTheWeb registry I keep busting and it keeps returning. I did run two registry clean programs. I used your SaveNow one and did not find any of those registry keys, but after running the registry cleaners it was gone and replaced with this one. I also got rid of this program called Oejmi some toolbar that I don't recall installing...it looked suspicious.

I hope that helps with my case. I am off to work! Thanks for everything you have been doing for me!
  • 0

#22
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
P.S. can you give me a list like you did for SaveNow registry keys for the SearchTheWeb? Maybe I can go into the registry manually and find it.
  • 0

#23
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

P.S. can you give me a list like you did for SaveNow registry keys for the SearchTheWeb? Maybe I can go into the registry manually and find it.
Yes i will but I need some time to get the in formation.

Please read through the instructions before you start (you may want to print this out).

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Run Ad-aware se

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab

Click on Fix Checked when finished and exit HijackThis.

a.) Copy the contents of the Quote Box below to Notepad.
b.) Save the file as RemoveTrustedZone.reg
c.) Change the Save as Type to All Files.
d.) Save this file to the desktop.

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]


--
e.) Double-click on RemoveTrustedZone.reg.
f.) When it asks you to merge the information to the registry click Yes.


Reboot as normal

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#24
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
What does that program Hoster do? What are the original hosts that I am restoring???

Thanks.
  • 0

#25
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

The hoster will reset your host file back to the default setting and will remove the malware links that have been setup in your host file.
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone this would also place a bad guy link in the host file.

Please continue the fix from my last post

Kc :tazz:
  • 0

Advertisements


#26
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello

I have Adware and I ran it with the new definitions from 5.24.05 and I found nothing.

Then I used HJT to delete those files, but when I looked this morning all the 015 had returned and I tried to delete them a second time with no luck.

I added the REGEDIT4 to the registry and I restored the settings of my host using Hoster.

Here are the logs for HJT and Panda Activescan

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:46:18 PM, on 05/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Devi Phat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender free edition\bdnagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=6809
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115477304667
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


Panda


Incident Status Location

Adware:Adware/SearchTheWeb No disinfected Windows Registry
This stupid SearchTheWeb is still floating around. I looked in the registry and I found a file with MSW which is what searchtheweb has for an alias. I removed that whole file and its registry keys. But I can't seem to get rid of it.

Last time two new adware popped up too...like Ebates Moneymaker and SaveNow. I swear I have no clue where they are coming from now...I haven't used this computer expect to fix it.

Thanks for your time! Waiting for the next round!
:tazz:
  • 0

#27
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

Have a look for the items in the following folder

C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\All Users\Application Data\msw\BMan.exe
C:\WINDOWS\All Users\Application Data\msw\MSW.exe

I found then delete them.

Kc :tazz:
  • 0

#28
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey there

I was one step ahead of you. I went looking for those files and I could not find them.

You can not find those files through that path.

You can if you go to:

c:\documents and settings\all users\application data\msw\bman1.exe
c:\documents and settings\all users\application data\msw\bman.exe
c:\documents and settings\all users\application data\msw\msw.exe

Expect I did not find anything any there either.

So what's the next step?
  • 0

#29
DrUG411

DrUG411

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I wanted to tell you I ran Spy Sweeper again with an updated definition set and it found SearchWeb.

It listed two things to remove:

HKEY_Local_Machine\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000

HKEY_Local_Machine\system\currentcontrolset\enum\root\legacy_wintoolssvc

Spy Sweeper removed the second registry file but did not remove the first one. I used regedit to look at the file and I could not manually delete it. There was an error saying that CAN NOT DELETE 0000 THERE IS AN ERROR WHILE DELETING.

I don;t know if this is what was causing all the problems.
  • 0

#30
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi DrUG411

The WinTools variant cannot be removed in the normal desktop because each of the three processes, plus a BHO, keep each other alive when you try to stop them. So you will need to use Safe Mode.

To get to Safe Mode, press the F8 key just as Windows is about to boot. If you use a multiboot system, this is the point where the boot menu appears; if not, just keep tapping F8 as the machine boots until the menu appears.

Open the registry (click 'Start', choose 'Run', enter 'regedit') and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. Select the subkey 'Run' and delete the 'WinTools' entry on the right. If there is still a 'TB_setup' or 'TBPS' entry here, delete that too.

Next, select the subkey 'Explorer\Browser Helper Objects', delete the whole subkey with the name '{87766247-311C-43B4-8499-3D5FEC94A183}'. Finally, find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and delete the WinToolsSvc subkey.

HKEY_CLASSES_ROOT\CLSID with numbers {26E8361F-BCE7-4F75-A347-98C88B418322} and {87067F04-DE4C-4688-BC3C-4FCF39D609E7}. Inside HKEY_CLASSES_ROOT\PROTOCOLS, the Name-Space Handler\res\WToolsB.ResProtocol key can also go. Next, open Microsoft\Windows\CurrentVersion\Installer\UserData in HKEY_LOCAL_MACHINE\Software, and delete the 'AUI' and 'STO' subkeys, and the 'TUID' entry.
Reboot normally.

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP