Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Registry Spyware Infections [RESOLVED]

Started by sammyW , Jun 19 2005 09:21 PM

This topic is locked

#1
sammyW

Posted 19 June 2005 - 09:21 PM

Member

Member
44 posts

Hello,

I have just completed updated scans with,

panda antivirus
ewido security suit
TDS-3
microsoft antispyware
ad-aware
spybot sd
cwshredder

And I also monitor my system with,

spywareblaster
spywareguard

All of these scans came up clear, appart from a couple of cookies which were deleted.
My system is running great, but I wanted to do that panda online activescan. It came back with 4 infections. 2 of which were in windows, so I could delete them, however the other 2 were in the registry. How can I delete these? Thanks for any help!

Incident Status Location

Adware:Adware/XPlugin No disinfected Windows Registry

Adware:Adware/Admess No disinfected Windows Registry

#2
sammyW

Posted 19 June 2005 - 10:39 PM

Member

Topic Starter
Member
44 posts

Logfile of HijackThis v1.99.1
Scan saved at 2:39:30 PM, on 6/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sam White\Desktop\BackUp\Virus Gear\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114318117686
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe

#3
Excal

Posted 20 June 2005 - 11:06 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

http://www.billsway.com/vbspage/
Scroll down to

Registry Search Tool
Search the Windows Registry for input string and display results (easier than repeatedly hitting the F3 key in RegEdit).

Script revised 13 Dec 2001 to work with Windows XP and Windows 2000.

And download this program :tazz:

Open the RegSearch folder and double click RegSearch.vbs. Allow it to run.

enter XPlugin

RegSearch will "disappear" but it is actually searching the registry for that entry.

Also enter Admess after Xplugin is done.

Copy and paste what it finds into a Notepad file.

#4
sammyW

Posted 20 June 2005 - 11:15 PM

Member

Topic Starter
Member
44 posts

Thanks for the quick reply,

XPlugin:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "xplugin" 6/21/2005 3:12:51 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06DD38D3-D187-11CF-A80D-00C04FD74AD8}]
@="ActiveXPlugin Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06DD38D3-D187-11CF-A80D-00C04FD74AD8}\ProgID]
@="Microsoft.ActiveXPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06DD38D3-D187-11CF-A80D-00C04FD74AD8}\VersionIndependentProgID]
@="Microsoft.ActiveXPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B7447A0000000000]
"eBookEBXPlugin"="Reader_Big_Features"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{02BF25D3-8C17-4B23-BC80-D3488ABDDC6B}]
@="IQTActiveXPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{02BF25D4-8C17-4B23-BC80-D3488ABDDC6B}]
@="DQTActiveXPluginEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06DD38D1-D187-11CF-A80D-00C04FD74AD8}]
@="IActiveXPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06DD38D2-D187-11CF-A80D-00C04FD74AD8}]
@="DActiveXPluginEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin]
@="ActiveXPlugin Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin\CurVer]
@="Microsoft.ActiveXPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin\NotInsertable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin.1]
@="ActiveXPlugin Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.ActiveXPlugin.1\NotInsertable]

"SearchAndIndex"="L+h^xgiT49H$l~o?JOg(fsuLwNQYa=QwFYM_nwbM$E(h*28T5=Ocg`@5_YDBwwc$b8,r[@nruGZf0P,UM$4GP`4ws=nuPFo$?CFBReader_Big_Features"
"eBookEBXPlugin"="K9{!GAXPX8HOdiUw?WM+Nz2cV.CQh?-,(s?@=7fkiUajX9'(,?bG)AME%.vn]m5Iyy7&,?vB5yd+X-ba}jouU'ygb8)RXq_u&z{pReader_Big_Features"

Admess:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "admess" 6/21/2005 3:13:56 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{1A6631C0-3EA2-11D1-AE01-006097C6A9AA}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{5555C2CD-17FB-11D1-85C4-00C04FC295EE}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}]
"$Function"="SoftpubLoadMessage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}]
"$Function"="SoftpubLoadMessage"

#5
Excal

Posted 20 June 2005 - 11:36 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Sammy,

I dont' see anything particular in there.

I think it would serve you well to clean your registry!

Please dowload: RegSeeker.
Click on "Clean The Registry" in the left panel.
Check all boxes (make sure the backup box in the lower left corner is selected!).
After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!

#6
Excal

Posted 20 June 2005 - 11:43 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Sammy,

After your done with that, can you run this porgram and let me know the results.

Spybot S&D

Thanks,

:tazz:

Excal

#7
sammyW

Posted 20 June 2005 - 11:52 PM

Member

Topic Starter
Member
44 posts

Thanks alot Excal. That seem to solved my problems. Much appreciated!

#8
Excal

Posted 20 June 2005 - 11:55 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Outstanding

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE

Spybot S&D

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast

The following free programs are great for prevention:

SpywareBlaster 3.4

Spywareguard

IE/Spyad

A Firewall is a must! Here are 2 good free versions:

Sygate

ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox

Opera

This site is a great source for tightening up security on Internet Explorer settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

#9
Excal

Posted 20 June 2005 - 11:55 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.