Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing stuff that Ewido can't [RESOLVED]

Started by david_s , Aug 04 2005 07:16 AM

  • This topic is locked This topic is locked

#1
david_s
Posted 04 August 2005 - 07:16 AM

david_s

    Member

  • Member
  • PipPip
  • 25 posts
A friend at church asked for help with their computer problems. I've done everything I know to do (and learned some new tricks from this forum), but I still can't quite beat their system's problems. Their system was infected with an amazing collection of viruses, spyware, trojans, etc. including CoolWebSearch.

So, here's what I did:

Ran CWShredder, AboutBuster, Ewido, Adaware, and a virus scan with TrendMicro's House Call.

Things are running much better now, but Ewido keeps reporting finding registry keys that it can't delete ("Error during cleaning").

I'll post my HijackThis and Ewido logs. First, here's my HijackThis log:

==========
Logfile of HijackThis v1.99.1
Scan saved at 6:58:50 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [System-Service] C:\WINDOWS\SYSTEM\EXPLORER.SCR
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tvs_b] c:\Program Files\tvs\tvs_ln.exe
O4 - HKLM\..\Run: [Client ] C:\WINDOWS\system32\tscoeset.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [sys730] C:\WINDOWS\sys730.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{1B66344B-A60D-4D80-9239-298AB697650C}\SVCHOST.EXE
O4 - HKLM\..\Run: [03mi39e] msjctfrm.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{1B66344B-A60D-4D80-9239-298AB697650C}\SECURITY.EXE
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...MetaStream3.cab
O16 - DPF: {11A4AEAA-4AE4-4EBA-BAB0-511B2CF8C062} - http://download.fami.....e Legends.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ion/install.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast....SBFullSInst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwa...uditControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O21 - SSODL: Security Access - {03E81FD0-0A8E-4817-83CF-744827A4E9E3} - C:\WINDOWS\system32\c_28csvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
==========

Here's my Eiwdo log:

==========
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:55:52 AM, 8/4/2005
+ Report-Checksum: 437C9FC2

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Error during cleaning
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\CSIE.CSIECore -> Spyware.ClearSearch : Error during cleaning
HKLM\SOFTWARE\Classes\F1.Organizer -> Spyware.VX2 : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginConfig\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginEvents\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginServer\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript\Clsid -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\toolbar.IToolbarScriptClass -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\toolbar.ResProtocol -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj -> Spyware.FlashTrack : Error during cleaning
HKLM\SOFTWARE\Classes\WebCom.WebBar -> Spyware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning


::Report End
==========

Note that since I'm now at work I won't have access to this system until tonight around 5:30 CDT.

Thanks for the help.
  • 0

Advertisements

#2
greyknight17
Posted 04 August 2005 - 10:31 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Common.Buttons]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CSIE.CSIECore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\F1.Organizer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginConfig]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginDown]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginEvents]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginInst]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginServer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.ToolbarScript]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.IToolbarScriptClass]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.ResProtocol]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UnawareObj.UnawareObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebCom.WebBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WToolsB.ResProtocol]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll (file missing)
O4 - HKLM\..\Run: [System-Service] C:\WINDOWS\SYSTEM\EXPLORER.SCR
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tvs_b] c:\Program Files\tvs\tvs_ln.exe
O4 - HKLM\..\Run: [Client ] C:\WINDOWS\system32\tscoeset.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [sys730] C:\WINDOWS\sys730.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{1B66344B-A60D-4D80-9239-298AB697650C}\SVCHOST.EXE
O4 - HKLM\..\Run: [03mi39e] msjctfrm.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{1B66344B-A60D-4D80-9239-298AB697650C}\SECURITY.EXE
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...MetaStream3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ion/install.cab
O21 - SSODL: Security Access - {03E81FD0-0A8E-4817-83CF-744827A4E9E3} - C:\WINDOWS\system32\c_28csvc.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

c:\Program Files\Fla\
C:\Program Files\Fln\
C:\WINDOWS\SYSTEM\EXPLORER.SCR
C:\WINDOWS\autoupd\
C:\Program Files\Viewpoint\
c:\Program Files\tvs\
C:\WINDOWS\system32\tscoeset.exe
C:\Program Files\Common Files\Java\flncpy.exe
C:\WINDOWS\sys730.exe
msjctfrm.exe
C:\WINDOWS\system32\Services\{1B66344B-A60D-4D80-9239-298AB697650C}\
C:\WINDOWS\system32\c_28csvc.dll

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
david_s
Posted 04 August 2005 - 11:07 AM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for the response. I'll follow those steps tonight when I get home and report the results back.
  • 0

#4
david_s
Posted 04 August 2005 - 08:38 PM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
It looks like I forgot to mention that my first HijackThis scan was in safe mode.

I've followed your instructions, and things look much better in safe mode. See 'hijackthis_safe.txt' for that log file.

Unfortunately, when booted in normal mode, things look worse (to me anyway). See 'hijackthis.txt' for that log file.

I've also included a Ewido log file, 'Scan_report_20050804_2.txt', run in normal mode. It found several things for that user, and also still reported those same registry keys it couldn't delete.

Thanks in advance for any help.

Attached Files


  • 0

#5
greyknight17
Posted 05 August 2005 - 10:48 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi, don't give me a HijackThis scan log in Safe Mode. That log won't be very useful to us. Only do the fixes in Safe Mode, never give us a HijackThis scan log in Safe Mode.

Whoa, what happened there? The log shows that your system did get worse, like you said. Make sure you give me the HijackThis log in Normal Mode from now on. My guess is that it was like this before but you were in Safe Mode which didn't show us the entries.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\ and delete Altnet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete ClientAX.ClientInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ and delete {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete Common.Buttons
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete CSIE.CSIECore
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete F1.Organizer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginConfig
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginDown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginInst
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.PluginServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete TBPS.ToolbarScript
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete toolbar.IToolbarScriptClass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete toolbar.ResProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete UnawareObj.UnawareObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete WebCom.WebBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete WToolsB.ResProtocol

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

OK, I want you to do this first before we proceed any further (this will make it easier for you to do the fixing later, otherwise you might spend like 15 minutes or more just checking those off :tazz: ):

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

regedit /e c:\regRunKey.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
notepad c:\regRunKey.txt
del regRunKey.txt
del regRunkeys.bat

Save the file as "regRunkeys". Make sure to save it with the quotes. Double click on it. A notepad file should open. I want you to copy and paste the contents of that notepad file here.
  • 0

#6
david_s
Posted 05 August 2005 - 02:59 PM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Sorry about giving you the HijackThis log from safe mode, wasn't thinking correctly.

Tried deleting registry keys by hand, without much luck. For instance,down in HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard there is a key called 'Messages'. I can't delete it. When I try to look at it I get "Cannot open Messages: Error while opening key". When I select permissions, I get "You do not have permission to view the current permission setting for Messages, but you can make permission changes." So, I use the advanced tab to add adminstrators with full control, but then when I apply it says "Unable to save permission changes on Messages: Access is denied".


Here's the output of regRunKeys:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"fippatv"="c:\\windows\\ldlomwm.exe"
"wupdate"="C:\\WINDOWS\\system32\\wi32.exe"
"pucnwsl"="c:\\windows\\ldlomwm.exe"
"hiyrrly"="c:\\windows\\ldlomwm.exe"
"dhpnwik"="c:\\windows\\oasstgu.exe"
"iuuyhtu"="c:\\windows\\oasstgu.exe"
"dgastwx"="c:\\windows\\oasstgu.exe"
"cgttnqa"="c:\\windows\\oasstgu.exe"
"xsrypke"="c:\\windows\\oasstgu.exe"
"irgiubt"="c:\\windows\\oasstgu.exe"
"utxylhv"="c:\\windows\\tnpuocm.exe"
"kicwguw"="c:\\windows\\tnpuocm.exe"
"enndwgm"="c:\\windows\\drogwfj.exe"
"sys730"="C:\\WINDOWS\\sys730.exe"
"poixyya"="c:\\windows\\drogwfj.exe"
"jqkhsyq"="c:\\windows\\drogwfj.exe"
"aayqjdr"="c:\\windows\\drogwfj.exe"
"rptyrws"="c:\\windows\\djqijet.exe"
"yfdreof"="c:\\windows\\djqijet.exe"
"bkbnggw"="c:\\windows\\djqijet.exe"
"atfdqpw"="c:\\windows\\djqijet.exe"
"bnwjfir"="c:\\windows\\djqijet.exe"
"vvsqmeb"="c:\\windows\\djqijet.exe"
"kqkjrfw"="c:\\windows\\djqijet.exe"
"qjcefvy"="c:\\windows\\wopqcam.exe"
"pomiydt"="c:\\windows\\wopqcam.exe"
"cnketao"="c:\\windows\\wopqcam.exe"
"tardmvp"="c:\\windows\\wopqcam.exe"
"qpjdnlw"="c:\\windows\\wopqcam.exe"
"vvwsnfx"="c:\\windows\\wopqcam.exe"
"crvdpfk"="c:\\windows\\wopqcam.exe"
"axqgvss"="c:\\windows\\wopqcam.exe"
"fcwcypk"="c:\\windows\\wopqcam.exe"
"lqrqqlv"="c:\\windows\\wopqcam.exe"
"mmstyxa"="c:\\windows\\wopqcam.exe"
"lvbsyhg"="c:\\windows\\bdxnvaf.exe"
"wyyqqqh"="c:\\windows\\bdxnvaf.exe"
"tiioiak"="c:\\windows\\bdxnvaf.exe"
"khnsaja"="c:\\windows\\bdxnvaf.exe"
"qymojnm"="c:\\windows\\bdxnvaf.exe"
"ecgwxwi"="c:\\windows\\bdxnvaf.exe"
"mtbendd"="c:\\windows\\qootkqm.exe"
"uajwojm"="c:\\windows\\qootkqm.exe"
"xquphtg"="c:\\windows\\qootkqm.exe"
"cqpdgkw"="c:\\windows\\qootkqm.exe"
"okhghlw"="c:\\windows\\qootkqm.exe"
"xpcknri"="c:\\windows\\gkvmrhg.exe"
"ojrjwgf"="c:\\windows\\gkvmrhg.exe"
"nwmjywy"="c:\\windows\\gkvmrhg.exe"
"lfyihfx"="c:\\windows\\gkvmrhg.exe"
"cmcgrpq"="c:\\windows\\gkvmrhg.exe"
"ljsfwcc"="c:\\windows\\gkvmrhg.exe"
"sloaers"="c:\\windows\\gkvmrhg.exe"
"vuhjxph"="c:\\windows\\gkvmrhg.exe"
"ukhxwxc"="c:\\windows\\gkvmrhg.exe"
"uvehlun"="c:\\windows\\gkvmrhg.exe"
"eiuumva"="c:\\windows\\gkvmrhg.exe"
"oamrxrg"="c:\\windows\\uihprnl.exe"
"rfawarc"="c:\\windows\\uihprnl.exe"
"ouhtgpw"="c:\\windows\\uihprnl.exe"
"kmemvof"="c:\\windows\\uihprnl.exe"
"fnbpasd"="c:\\windows\\uihprnl.exe"
"mymssig"="c:\\windows\\uihprnl.exe"
"ffssbdt"="c:\\windows\\uihprnl.exe"
"iwdnyjx"="c:\\windows\\uihprnl.exe"
"oartqto"="c:\\windows\\uihprnl.exe"
"odudgmy"="c:\\windows\\uihprnl.exe"
"opaflxn"="c:\\windows\\uihprnl.exe"
"gyjuqrn"="c:\\windows\\uihprnl.exe"
"vsbmtbf"="c:\\windows\\uihprnl.exe"
"dvbogbc"="c:\\windows\\uihprnl.exe"
"qwsorps"="c:\\windows\\uihprnl.exe"
"hcngalu"="c:\\windows\\jbnjuae.exe"
"wrjppyx"="c:\\windows\\jbnjuae.exe"
"utodnjd"="c:\\windows\\jbnjuae.exe"
"xxwcbxa"="c:\\windows\\jbnjuae.exe"
"owjjoue"="c:\\windows\\jbnjuae.exe"
"wfvljle"="c:\\windows\\jbnjuae.exe"
"qnigqdf"="c:\\windows\\jbnjuae.exe"
"ypdovey"="c:\\windows\\jbnjuae.exe"
"qklxoqe"="c:\\windows\\jbnjuae.exe"
"oyarlpj"="c:\\windows\\jbnjuae.exe"
"eabewli"="c:\\windows\\jbnjuae.exe"
"hhcjgjd"="c:\\windows\\jbnjuae.exe"
"cmlukpi"="c:\\windows\\jbnjuae.exe"
"kmsealy"="c:\\windows\\ujjkxad.exe"
"kxattsj"="c:\\windows\\ujjkxad.exe"
"mankrso"="c:\\windows\\ujjkxad.exe"
"gfmrrpp"="c:\\windows\\ujjkxad.exe"
"jupaifu"="c:\\windows\\ujjkxad.exe"
"frtawkw"="c:\\windows\\fakhuwu.exe"
"yfvpdim"="c:\\windows\\fakhuwu.exe"
"cqyccms"="c:\\windows\\fakhuwu.exe"
"bsnibbc"="c:\\windows\\fakhuwu.exe"
"byxcjvu"="c:\\windows\\fakhuwu.exe"
"btdrfgg"="c:\\windows\\lgbkgoi.exe"
"qbaktff"="c:\\windows\\lgbkgoi.exe"
"urmnssg"="c:\\windows\\lgbkgoi.exe"
"kulrnkr"="c:\\windows\\lgbkgoi.exe"
"valwnyj"="c:\\windows\\lgbkgoi.exe"
"ovgsmac"="c:\\windows\\lgbkgoi.exe"
"gfrvmbb"="c:\\windows\\lgbkgoi.exe"
"nkvcqrk"="c:\\windows\\lgbkgoi.exe"
"xqdetbd"="c:\\windows\\lgbkgoi.exe"
"qedntge"="c:\\windows\\lgbkgoi.exe"
"kubjtbh"="c:\\windows\\lgbkgoi.exe"
"pibiihl"="c:\\windows\\lgbkgoi.exe"
"vkuoqfm"="c:\\windows\\lgbkgoi.exe"
"otyewwp"="c:\\windows\\ukeexxp.exe"
"wupd"="C:\\WINDOWS\\system32\\symcsvc.exe"
"uoghrgs"="c:\\windows\\ukeexxp.exe"
"dgbkmen"="c:\\windows\\ukeexxp.exe"
"yhljifu"="c:\\windows\\ukeexxp.exe"
"clehgbe"="c:\\windows\\ukeexxp.exe"
"bbfftfi"="c:\\windows\\ukeexxp.exe"
"sdacwht"="c:\\windows\\ukeexxp.exe"
"rwxurli"="c:\\windows\\ukeexxp.exe"
"owqxsho"="c:\\windows\\ukeexxp.exe"
"lobrkja"="c:\\windows\\ukeexxp.exe"
"bjuarur"="c:\\windows\\ukeexxp.exe"
"brhuooj"="c:\\windows\\ukeexxp.exe"
"tmchnvp"="c:\\windows\\ukeexxp.exe"
"pvcrdps"="c:\\windows\\ukeexxp.exe"
"hliboht"="c:\\windows\\ukeexxp.exe"
"akwyalj"="c:\\windows\\ukeexxp.exe"
"ilgmeli"="c:\\windows\\ukeexxp.exe"
"elrefwp"="c:\\windows\\ukeexxp.exe"
"aiptpca"="c:\\windows\\ukeexxp.exe"
"qyndnrb"="c:\\windows\\ukeexxp.exe"
"yydepsu"="c:\\windows\\ukeexxp.exe"
"dieawmc"="c:\\windows\\ukeexxp.exe"
"tosanjb"="c:\\windows\\ukeexxp.exe"
"vknlhqg"="c:\\windows\\ukeexxp.exe"
"dnqdvie"="c:\\windows\\ukeexxp.exe"
"lqsmyyr"="c:\\windows\\ukeexxp.exe"
"lnsqlma"="c:\\windows\\ukeexxp.exe"
"mlnxsuv"="c:\\windows\\ukeexxp.exe"
"hysciyn"="c:\\windows\\ukeexxp.exe"
"lccrknn"="c:\\windows\\utvmbqt.exe"
"ldtqnwr"="c:\\windows\\utvmbqt.exe"
"sugkjja"="c:\\windows\\utvmbqt.exe"
"vvhbxlb"="c:\\windows\\utvmbqt.exe"
"rcbeeoq"="c:\\windows\\utvmbqt.exe"
"emrelpo"="c:\\windows\\utvmbqt.exe"
"tdimjdg"="c:\\windows\\utvmbqt.exe"
"frykghx"="c:\\windows\\utvmbqt.exe"
"qrfuwsn"="c:\\windows\\utvmbqt.exe"
"tmdpekd"="c:\\windows\\utvmbqt.exe"
"ixfsahv"="c:\\windows\\utvmbqt.exe"
"tevlbap"="c:\\windows\\utvmbqt.exe"
"tulrvbx"="c:\\windows\\utvmbqt.exe"
"xtnxyfa"="c:\\windows\\utvmbqt.exe"
"jevdgbk"="c:\\windows\\utvmbqt.exe"
"oxtqodx"="c:\\windows\\vchjqfq.exe"
"yjyqvbi"="c:\\windows\\vchjqfq.exe"
"uuqqwpa"="c:\\windows\\vchjqfq.exe"
"gyyevas"="c:\\windows\\vchjqfq.exe"
"aqlsmgr"="c:\\windows\\vchjqfq.exe"
"ypurduo"="c:\\windows\\vchjqfq.exe"
"mdpbiwr"="c:\\windows\\vchjqfq.exe"
"dakuqtg"="c:\\windows\\vchjqfq.exe"
"slocnsd"="c:\\windows\\vchjqfq.exe"
"wigtcbu"="c:\\windows\\vchjqfq.exe"
"dyafmvr"="c:\\windows\\vchjqfq.exe"
"hqjhsbi"="c:\\windows\\vchjqfq.exe"
"ldngmgl"="c:\\windows\\vchjqfq.exe"
"tgdrjsj"="c:\\windows\\vchjqfq.exe"
"nyfovqn"="c:\\windows\\vchjqfq.exe"
"ubcjiof"="c:\\windows\\vchjqfq.exe"
"yijkrmn"="c:\\windows\\vchjqfq.exe"
"vixpjnj"="c:\\windows\\vchjqfq.exe"
"bbcpffp"="c:\\windows\\vchjqfq.exe"
"xrnlywh"="c:\\windows\\vchjqfq.exe"
"iahoqud"="c:\\windows\\vchjqfq.exe"
"roygent"="c:\\windows\\vchjqfq.exe"
"stjmpwp"="c:\\windows\\vchjqfq.exe"
"thusuux"="c:\\windows\\yuyaskl.exe"
"yxpmaoc"="c:\\windows\\yuyaskl.exe"
"atfasxi"="c:\\windows\\yuyaskl.exe"
"kvqatpa"="c:\\windows\\yuyaskl.exe"
"rmqehsm"="c:\\windows\\yuyaskl.exe"
"jjfmohb"="c:\\windows\\yuyaskl.exe"
"lpefacd"="c:\\windows\\yuyaskl.exe"
"oyybesh"="c:\\windows\\yuyaskl.exe"
"dldnorc"="c:\\windows\\yuyaskl.exe"
"shbjemo"="c:\\windows\\yuyaskl.exe"
"iksnybe"="c:\\windows\\yuyaskl.exe"
"knuewsl"="c:\\windows\\yuyaskl.exe"
"fetfafj"="c:\\windows\\yuyaskl.exe"
"khkiiyu"="c:\\windows\\yuyaskl.exe"
"uarxgbc"="c:\\windows\\yuyaskl.exe"
"fgopeif"="c:\\windows\\yuyaskl.exe"
"laavayk"="c:\\windows\\yuyaskl.exe"
"ebmytly"="c:\\windows\\yuyaskl.exe"
"pfyfbjs"="c:\\windows\\yuyaskl.exe"
"hxihouk"="c:\\windows\\yuyaskl.exe"
"cnrqdoo"="c:\\windows\\yuyaskl.exe"
"ibxuqqo"="c:\\windows\\yuyaskl.exe"
"hnjqiha"="c:\\windows\\yuyaskl.exe"
"bdpdbsu"="c:\\windows\\yuyaskl.exe"
"fpayirc"="c:\\windows\\yuyaskl.exe"
"atsrqcj"="c:\\windows\\yuyaskl.exe"
"geggdbr"="c:\\windows\\yuyaskl.exe"
"khbriyp"="c:\\windows\\yuyaskl.exe"
"vkxpews"="c:\\windows\\yuyaskl.exe"
"jivcgyb"="c:\\windows\\yuyaskl.exe"
"byhhots"="c:\\windows\\yuyaskl.exe"
"qpblvsh"="c:\\windows\\yuyaskl.exe"
"laekxon"="c:\\windows\\yuyaskl.exe"
"orvwtjt"="c:\\windows\\yuyaskl.exe"
"omysfkl"="c:\\windows\\yuyaskl.exe"
"yxmhgif"="c:\\windows\\yuyaskl.exe"
"pqnnyyo"="c:\\windows\\yuyaskl.exe"
"dkojuwa"="c:\\windows\\yuyaskl.exe"
"fpnndqt"="c:\\windows\\yuyaskl.exe"
"jukwhei"="c:\\windows\\yuyaskl.exe"
"tpxyryl"="c:\\windows\\yuyaskl.exe"
"fqyaetd"="c:\\windows\\yuyaskl.exe"
"bvjjcwe"="c:\\windows\\yuyaskl.exe"
"wcjcaeb"="c:\\windows\\jgngugq.exe"
"yailcur"="c:\\windows\\jgngugq.exe"
"uyemgwv"="c:\\windows\\uiponbu.exe"
"joyweim"="c:\\windows\\lvmgybs.exe"
"iiekhvb"="c:\\windows\\lvmgybs.exe"
"aeafthx"="c:\\windows\\lvmgybs.exe"
"xpmlsvd"="c:\\windows\\lvmgybs.exe"
"rtffisr"="c:\\windows\\lvmgybs.exe"
"apsvacs"="c:\\windows\\lvmgybs.exe"
"xkjcibn"="c:\\windows\\lvmgybs.exe"
"bpdioxk"="c:\\windows\\lvmgybs.exe"
"wohxogx"="c:\\windows\\lvmgybs.exe"
"noxfrjr"="c:\\windows\\lvmgybs.exe"
"neeocnc"="c:\\windows\\lvmgybs.exe"
"iuibshk"="c:\\windows\\lvmgybs.exe"
"duvvgqw"="c:\\windows\\lvmgybs.exe"
"vtuauoy"="c:\\windows\\lvmgybs.exe"
"egpfsex"="c:\\windows\\lvmgybs.exe"
"jkoflut"="c:\\windows\\lvmgybs.exe"
"emnotlp"="c:\\windows\\lvmgybs.exe"
"rppngeh"="c:\\windows\\lvmgybs.exe"
"qpgkhli"="c:\\windows\\lvmgybs.exe"
"ccirnvx"="c:\\windows\\lvmgybs.exe"
"cppnhlr"="c:\\windows\\lvmgybs.exe"
"nkaujff"="c:\\windows\\lvmgybs.exe"
"cwkqdkw"="c:\\windows\\lvmgybs.exe"
"oogxebm"="c:\\windows\\lvmgybs.exe"
"isjnwly"="c:\\windows\\lvmgybs.exe"
"prtcypq"="c:\\windows\\lvmgybs.exe"
"xhuowoh"="c:\\windows\\lvmgybs.exe"
"bgvwaaq"="c:\\windows\\lvmgybs.exe"
"ntrngyw"="c:\\windows\\lvmgybs.exe"
"qfevgdj"="c:\\windows\\lvmgybs.exe"
"vcrlllg"="c:\\windows\\lvmgybs.exe"
"vbqoaun"="c:\\windows\\lvmgybs.exe"
"qofdwat"="c:\\windows\\lvmgybs.exe"
"bmhapbk"="c:\\windows\\lvmgybs.exe"
"pimyuhk"="c:\\windows\\lvmgybs.exe"
"iayyiyw"="c:\\windows\\lvmgybs.exe"
"opyrvon"="c:\\windows\\lvmgybs.exe"
"rkodurl"="c:\\windows\\lvmgybs.exe"
"frgubvo"="c:\\windows\\lvmgybs.exe"
"uwagiwh"="c:\\windows\\lvmgybs.exe"
"mutisnx"="c:\\windows\\lvmgybs.exe"
"tdgqogi"="c:\\windows\\lvmgybs.exe"
"oxxoiya"="c:\\windows\\lvmgybs.exe"
"nbncprq"="c:\\windows\\lvmgybs.exe"
"kcrkpca"="c:\\windows\\lvmgybs.exe"
"xoryxkl"="c:\\windows\\lvmgybs.exe"
"rtaarhe"="c:\\windows\\lvmgybs.exe"
"mygsrtr"="c:\\windows\\lvmgybs.exe"
"kckodsq"="c:\\windows\\lvmgybs.exe"
"egysube"="c:\\windows\\lvmgybs.exe"
"inskdyy"="c:\\windows\\lvmgybs.exe"
"obfgfsi"="c:\\windows\\lvmgybs.exe"
"kwsucrx"="c:\\windows\\lvmgybs.exe"
"rugyeyj"="c:\\windows\\lvmgybs.exe"
"hsulmhf"="c:\\windows\\lvmgybs.exe"
"hffrsre"="c:\\windows\\lvmgybs.exe"
"drywsvm"="c:\\windows\\lvmgybs.exe"
"uwehynr"="c:\\windows\\lvmgybs.exe"
"buorimb"="c:\\windows\\lvmgybs.exe"
"upigrkw"="c:\\windows\\lvmgybs.exe"
"clkjoee"="c:\\windows\\lvmgybs.exe"
"bpiduif"="c:\\windows\\lvmgybs.exe"
"uypnyin"="c:\\windows\\lvmgybs.exe"
"ykiphor"="c:\\windows\\lvmgybs.exe"
"lptxeoe"="c:\\windows\\lvmgybs.exe"
"ynstixq"="c:\\windows\\lvmgybs.exe"
"mqcojuv"="c:\\windows\\lvmgybs.exe"
"ahcuott"="c:\\windows\\lvmgybs.exe"
"bupjjpv"="c:\\windows\\lvmgybs.exe"
"baesqpa"="c:\\windows\\lvmgybs.exe"
"phiscwv"="c:\\windows\\lvmgybs.exe"
"siytgat"="c:\\windows\\lvmgybs.exe"
"insywas"="c:\\windows\\lvmgybs.exe"
"uetvuuw"="c:\\windows\\lvmgybs.exe"
"dbajddn"="c:\\windows\\lvmgybs.exe"
"gokirma"="c:\\windows\\lvmgybs.exe"
"durnopj"="c:\\windows\\lvmgybs.exe"
"pkikfdv"="c:\\windows\\lvmgybs.exe"
"qnwqcjm"="c:\\windows\\lvmgybs.exe"
"dtejtii"="c:\\windows\\lvmgybs.exe"
"vwesetl"="c:\\windows\\lvmgybs.exe"
"nftnyud"="c:\\windows\\lvmgybs.exe"
"biamwng"="c:\\windows\\lvmgybs.exe"
"cyxeybc"="c:\\windows\\lvmgybs.exe"
"fxnehhl"="c:\\windows\\lvmgybs.exe"
"nrqdpmt"="c:\\windows\\lvmgybs.exe"
"pvhysdr"="c:\\windows\\lvmgybs.exe"
"eisjcox"="c:\\windows\\lvmgybs.exe"
"htbpiwx"="c:\\windows\\lvmgybs.exe"
"cmlfbvg"="c:\\windows\\lvmgybs.exe"
"wxujfds"="c:\\windows\\lvmgybs.exe"
"luelkob"="c:\\windows\\lvmgybs.exe"
"kkoekda"="c:\\windows\\lvmgybs.exe"
"lfedpjw"="c:\\windows\\lvmgybs.exe"
"tollbmk"="c:\\windows\\lvmgybs.exe"
"dsfomlp"="c:\\windows\\lvmgybs.exe"
"bxtokvx"="c:\\windows\\lvmgybs.exe"
"jjrovyd"="c:\\windows\\lvmgybs.exe"
"dndneyo"="c:\\windows\\lvmgybs.exe"
"ooicfvi"="c:\\windows\\lvmgybs.exe"
"wdrcscg"="c:\\windows\\lvmgybs.exe"
"btgapsg"="c:\\windows\\lvmgybs.exe"
"bfkvosh"="c:\\windows\\lvmgybs.exe"
"voaoolv"="c:\\windows\\lvmgybs.exe"
"pyfclon"="c:\\windows\\lvmgybs.exe"
"dotrvno"="c:\\windows\\lvmgybs.exe"
"raspfbe"="c:\\windows\\lvmgybs.exe"
"emiyslc"="c:\\windows\\lvmgybs.exe"
"arjyapq"="c:\\windows\\lvmgybs.exe"
"spmtrsy"="c:\\windows\\lvmgybs.exe"
"blddcav"="c:\\windows\\lvmgybs.exe"
"kifvxpt"="c:\\windows\\lvmgybs.exe"
"rcwijme"="c:\\windows\\lvmgybs.exe"
"cieugyk"="c:\\windows\\lvmgybs.exe"
"fljgdho"="c:\\windows\\lvmgybs.exe"
"hwaplpv"="c:\\windows\\lvmgybs.exe"
"glokunx"="c:\\windows\\lvmgybs.exe"
"vktqosg"="c:\\windows\\lvmgybs.exe"
"yhqgyoj"="c:\\windows\\lvmgybs.exe"
"insrkww"="c:\\windows\\lvmgybs.exe"
"bdsyxkk"="c:\\windows\\lvmgybs.exe"
"tjrssbq"="c:\\windows\\lvmgybs.exe"
"adufdpq"="c:\\windows\\lvmgybs.exe"
"mxunxgq"="c:\\windows\\lvmgybs.exe"
"gjsrpfd"="c:\\windows\\lvmgybs.exe"
"sjhfoge"="c:\\windows\\lvmgybs.exe"
"quagtnt"="c:\\windows\\lvmgybs.exe"
"nrfexsi"="c:\\windows\\lvmgybs.exe"
"qufgwrd"="c:\\windows\\lvmgybs.exe"
"qtijspc"="c:\\windows\\lvmgybs.exe"
"ymwktvc"="c:\\windows\\lvmgybs.exe"
"owbaybd"="c:\\windows\\lvmgybs.exe"
"tgupvkm"="c:\\windows\\lvmgybs.exe"
"makkpbw"="c:\\windows\\lvmgybs.exe"
"pjggoxv"="c:\\windows\\lvmgybs.exe"
"idagnkq"="c:\\windows\\lvmgybs.exe"
"pjiasbn"="c:\\windows\\lvmgybs.exe"
"bdjchur"="c:\\windows\\lvmgybs.exe"
"rhjsduh"="c:\\windows\\lvmgybs.exe"
"uvtcmhk"="c:\\windows\\lvmgybs.exe"
"skjmsin"="c:\\windows\\lvmgybs.exe"
"dmtmjdq"="c:\\windows\\lvmgybs.exe"
"xnlmuvf"="c:\\windows\\lvmgybs.exe"
"kgjskwb"="c:\\windows\\lvmgybs.exe"
"ewprary"="c:\\windows\\lvmgybs.exe"
"gmjncyj"="c:\\windows\\lvmgybs.exe"
"jjcdmhj"="c:\\windows\\lvmgybs.exe"
"uwttlcb"="c:\\windows\\lvmgybs.exe"
"fcjimsc"="c:\\windows\\lvmgybs.exe"
"phkacqo"="c:\\windows\\lvmgybs.exe"
"kyrghfb"="c:\\windows\\lvmgybs.exe"
"wjffavc"="c:\\windows\\lvmgybs.exe"
"pbbhage"="c:\\windows\\lvmgybs.exe"
"hiesmod"="c:\\windows\\lvmgybs.exe"
"uvxsqyi"="c:\\windows\\lvmgybs.exe"
"qcqtbdh"="c:\\windows\\lvmgybs.exe"
"jbkrcse"="c:\\windows\\lvmgybs.exe"
"tikvrxw"="c:\\windows\\lvmgybs.exe"
"mrcwgan"="c:\\windows\\lvmgybs.exe"
"ftgbtox"="c:\\windows\\lvmgybs.exe"
"njeiaxb"="c:\\windows\\lvmgybs.exe"
"fpvyliv"="c:\\windows\\lvmgybs.exe"
"oyrrunu"="c:\\windows\\lvmgybs.exe"
"rjsrqyr"="c:\\windows\\lvmgybs.exe"
"mvlqove"="c:\\windows\\lvmgybs.exe"
"hcjirou"="c:\\windows\\lvmgybs.exe"
"ftswgdl"="c:\\windows\\lvmgybs.exe"
"gqxnieg"="c:\\windows\\lvmgybs.exe"
"owcaefv"="c:\\windows\\lvmgybs.exe"
"yssxnfp"="c:\\windows\\lvmgybs.exe"
"riggmni"="c:\\windows\\lvmgybs.exe"
"utdxqrm"="c:\\windows\\lvmgybs.exe"
"dsewrfr"="c:\\windows\\lvmgybs.exe"
"skxwgip"="c:\\windows\\lvmgybs.exe"
"gqssijk"="c:\\windows\\lvmgybs.exe"
"hensljf"="c:\\windows\\lvmgybs.exe"
"mmjbmeb"="c:\\windows\\lvmgybs.exe"
"hmmnbgi"="c:\\windows\\lvmgybs.exe"
"ynnrpqd"="c:\\windows\\lvmgybs.exe"
"fcssrei"="c:\\windows\\lvmgybs.exe"
"wqnsfhn"="c:\\windows\\lvmgybs.exe"
"qpdnffn"="c:\\windows\\lvmgybs.exe"
"xvgbvot"="c:\\windows\\lvmgybs.exe"
"xlbpcqn"="c:\\windows\\lvmgybs.exe"
"hsatwgj"="c:\\windows\\lvmgybs.exe"
"xgadvwa"="c:\\windows\\lvmgybs.exe"
"vnklmid"="c:\\windows\\lvmgybs.exe"
"lhefmym"="c:\\windows\\lvmgybs.exe"
"leexsav"="c:\\windows\\lvmgybs.exe"
"kngkajv"="c:\\windows\\lvmgybs.exe"
"gcmmpmr"="c:\\windows\\lvmgybs.exe"
"hphvhfk"="c:\\windows\\lvmgybs.exe"
"xvsbekv"="c:\\windows\\lvmgybs.exe"
"ksjimot"="c:\\windows\\lvmgybs.exe"
"iluxwbe"="c:\\windows\\lvmgybs.exe"
"jgccxwd"="c:\\windows\\lrebvvk.exe"
"dpacwcq"="c:\\windows\\lrebvvk.exe"
"ywwgxsu"="c:\\windows\\lrebvvk.exe"
"ageybdy"="c:\\windows\\lrebvvk.exe"
"mldtnom"="c:\\windows\\lrebvvk.exe"
"honlbha"="c:\\windows\\lrebvvk.exe"
"swublis"="c:\\windows\\lrebvvk.exe"
"abvhvce"="c:\\windows\\lrebvvk.exe"
"tkehfgu"="c:\\windows\\lrebvvk.exe"
"juchjnp"="c:\\windows\\lrebvvk.exe"
"scijebj"="c:\\windows\\lrebvvk.exe"
"dcmarvu"="c:\\windows\\lrebvvk.exe"
"dddaxyb"="c:\\windows\\lrebvvk.exe"
"jifsadn"="c:\\windows\\lrebvvk.exe"
"bubollv"="c:\\windows\\rtewlvs.exe"
"bmbtlpp"="c:\\windows\\rtewlvs.exe"
"bohkhsg"="c:\\windows\\rtewlvs.exe"
"gagxcad"="c:\\windows\\rtewlvs.exe"
"gwqigho"="c:\\windows\\rtewlvs.exe"
"xkyxoqf"="c:\\windows\\rtewlvs.exe"
"rwefiqc"="c:\\windows\\rtewlvs.exe"
"syxibcm"="c:\\windows\\rtewlvs.exe"
"lowerce"="c:\\windows\\rtewlvs.exe"
"wmpmohs"="c:\\windows\\rtewlvs.exe"
"woyodpw"="c:\\windows\\rtewlvs.exe"
"ssbvsmy"="c:\\windows\\xonhqky.exe"
"wygvnlw"="c:\\windows\\quimoop.exe"
"husomnn"="c:\\windows\\ahwdiwt.exe"
"bhycblj"="c:\\windows\\ahwdiwt.exe"
"matwaxd"="c:\\windows\\ahwdiwt.exe"
"gnwqoju"="c:\\windows\\ltpktgh.exe"
"gslabiu"="c:\\windows\\ltpktgh.exe"
"umgfrca"="c:\\windows\\cktmese.exe"
"viccvyr"="c:\\windows\\cktmese.exe"
"hnseduu"="c:\\windows\\eyhlaup.exe"
"yjlfuvb"="c:\\windows\\udsmfsf.exe"
"wlwahar"="c:\\windows\\udsmfsf.exe"
"igjnaeb"="c:\\windows\\udsmfsf.exe"
"drgcrrk"="c:\\windows\\udsmfsf.exe"
"erckivm"="c:\\windows\\udsmfsf.exe"
"jdnplkk"="c:\\windows\\udsmfsf.exe"
"drdteka"="c:\\windows\\udsmfsf.exe"
"rdwprcc"="c:\\windows\\udsmfsf.exe"
"nbkygyr"="c:\\windows\\udsmfsf.exe"
"csowyya"="c:\\windows\\yodcmvs.exe"
"ssppnua"="c:\\windows\\yodcmvs.exe"
"oulobga"="c:\\windows\\yodcmvs.exe"
"chpuutw"="c:\\windows\\yodcmvs.exe"
"igoqaea"="c:\\windows\\bttlwjc.exe"
"hogucfq"="c:\\windows\\bttlwjc.exe"
"ukumsmc"="c:\\windows\\bttlwjc.exe"
"nssyawr"="c:\\windows\\bttlwjc.exe"
"jsaxvlg"="c:\\windows\\bttlwjc.exe"
"mufojfk"="c:\\windows\\bttlwjc.exe"
"dpcamsl"="c:\\windows\\bttlwjc.exe"
"dieqwjb"="c:\\windows\\bttlwjc.exe"
"abombxa"="c:\\windows\\bttlwjc.exe"
"lseamqo"="c:\\windows\\bttlwjc.exe"
"ocukqkj"="c:\\windows\\bttlwjc.exe"
"xgpkgal"="c:\\windows\\bttlwjc.exe"
"taittmp"="c:\\windows\\bttlwjc.exe"
"kqwgksj"="c:\\windows\\bttlwjc.exe"
"qoopdlv"="c:\\windows\\bttlwjc.exe"
"lgrxtwt"="c:\\windows\\bttlwjc.exe"
"nosneti"="c:\\windows\\bttlwjc.exe"
"sppxjhf"="c:\\windows\\bttlwjc.exe"
"jfmuklp"="c:\\windows\\bttlwjc.exe"
"cugvkdm"="c:\\windows\\bttlwjc.exe"
"treiofc"="c:\\windows\\bttlwjc.exe"
"lhlvtto"="c:\\windows\\bttlwjc.exe"
"nrdpruw"="c:\\windows\\bttlwjc.exe"
"lbyxmxk"="c:\\windows\\bttlwjc.exe"
"reraqtd"="c:\\windows\\bttlwjc.exe"
"euhirel"="c:\\windows\\bttlwjc.exe"
"qbasdmd"="c:\\windows\\bttlwjc.exe"
"ikbuwld"="c:\\windows\\bttlwjc.exe"
"puqeoeq"="c:\\windows\\bttlwjc.exe"
"nvjmrvd"="c:\\windows\\bttlwjc.exe"
"lrffxbo"="c:\\windows\\bttlwjc.exe"
"cyyekwd"="c:\\windows\\bttlwjc.exe"
"wdlnfoq"="c:\\windows\\bttlwjc.exe"
"dnbakqx"="c:\\windows\\bttlwjc.exe"
"vgkbroa"="c:\\windows\\bttlwjc.exe"
"tbciqfb"="c:\\windows\\bttlwjc.exe"
"gjgiiql"="c:\\windows\\bttlwjc.exe"
"xekglsx"="c:\\windows\\bttlwjc.exe"
"epdjlnm"="c:\\windows\\bttlwjc.exe"
"fklpnep"="c:\\windows\\bttlwjc.exe"
"bnnxuml"="c:\\windows\\bttlwjc.exe"
"hoavqmm"="c:\\windows\\bttlwjc.exe"
"lusgxvy"="c:\\windows\\bttlwjc.exe"
"jxhwfji"="c:\\windows\\bttlwjc.exe"
"fdxatnu"="c:\\windows\\bttlwjc.exe"
"gqnejpa"="c:\\windows\\bttlwjc.exe"
"mxctrta"="c:\\windows\\bttlwjc.exe"
"lvvvlba"="c:\\windows\\bttlwjc.exe"
"rjvgtnf"="c:\\windows\\bttlwjc.exe"
"rlmrowr"="c:\\windows\\bttlwjc.exe"
"debsjrm"="c:\\windows\\bttlwjc.exe"
"ykcoryo"="c:\\windows\\bttlwjc.exe"
"mvdpckj"="c:\\windows\\bttlwjc.exe"
"mhwkyee"="c:\\windows\\bttlwjc.exe"
"ioixwig"="c:\\windows\\bttlwjc.exe"
"fyhwiou"="c:\\windows\\bttlwjc.exe"
"xotvthw"="c:\\windows\\bttlwjc.exe"
"rixkjif"="c:\\windows\\bttlwjc.exe"
"ndfpmms"="c:\\windows\\bttlwjc.exe"
"dwuwttw"="c:\\windows\\bttlwjc.exe"
"tbrwwkv"="c:\\windows\\bttlwjc.exe"
"uutdshi"="c:\\windows\\bttlwjc.exe"
"qsbbdbw"="c:\\windows\\bttlwjc.exe"
"tnqivvd"="c:\\windows\\bttlwjc.exe"
"lyfjsap"="c:\\windows\\bttlwjc.exe"
"xxcwkup"="c:\\windows\\bttlwjc.exe"
"kyesmwn"="c:\\windows\\bttlwjc.exe"
"ibiatnr"="c:\\windows\\bttlwjc.exe"
"ghyxajg"="c:\\windows\\bttlwjc.exe"
"wpukgmg"="c:\\windows\\bttlwjc.exe"
"mdjdhvk"="c:\\windows\\bttlwjc.exe"
"imlhjui"="c:\\windows\\bttlwjc.exe"
"nelrypq"="c:\\windows\\bttlwjc.exe"
"lqvbaqj"="c:\\windows\\bttlwjc.exe"
"qettlpm"="c:\\windows\\bttlwjc.exe"
"vqjllwy"="c:\\windows\\bttlwjc.exe"
"twswrtt"="c:\\windows\\bttlwjc.exe"
"poslgkr"="c:\\windows\\bttlwjc.exe"
"ysjyeta"="c:\\windows\\bttlwjc.exe"
"sxxhtel"="c:\\windows\\bttlwjc.exe"
"yufyepp"="c:\\windows\\bttlwjc.exe"
"oniusnb"="c:\\windows\\bttlwjc.exe"
"duuchnv"="c:\\windows\\bttlwjc.exe"
"snejhhe"="c:\\windows\\bttlwjc.exe"
"rffjmqt"="c:\\windows\\bttlwjc.exe"
"fjmklhi"="c:\\windows\\bttlwjc.exe"
"jabchyn"="c:\\windows\\bttlwjc.exe"
"tcanmsu"="c:\\windows\\bttlwjc.exe"
"gisqfde"="c:\\windows\\bttlwjc.exe"
"yiubapa"="c:\\windows\\bttlwjc.exe"
"wgbvrrp"="c:\\windows\\bttlwjc.exe"
"atvjheb"="c:\\windows\\bttlwjc.exe"
"yicdhvu"="c:\\windows\\bttlwjc.exe"
"hfgmrrw"="c:\\windows\\bttlwjc.exe"
"xtltbvo"="c:\\windows\\bttlwjc.exe"
"cgkpobg"="c:\\windows\\bttlwjc.exe"
"icqilbh"="c:\\windows\\bttlwjc.exe"
"phvtoir"="c:\\windows\\bttlwjc.exe"
"affbhfk"="c:\\windows\\bttlwjc.exe"
"jnepbta"="c:\\windows\\bttlwjc.exe"
"dimhgqr"="c:\\windows\\bttlwjc.exe"
"sbkwwow"="c:\\windows\\bttlwjc.exe"
"bglerwk"="c:\\windows\\bttlwjc.exe"
"bxkrrob"="c:\\windows\\bttlwjc.exe"
"ticblud"="c:\\windows\\bttlwjc.exe"
"vkdycqj"="c:\\windows\\bttlwjc.exe"
"pwyijkq"="c:\\windows\\bttlwjc.exe"
"kcorsjt"="c:\\windows\\bttlwjc.exe"
"hdbdxdl"="c:\\windows\\bttlwjc.exe"
"ukmvbfy"="c:\\windows\\bttlwjc.exe"
"dbyagry"="c:\\windows\\bttlwjc.exe"
"xudkysy"="c:\\windows\\bttlwjc.exe"
  • 0

#7
greyknight17
Posted 05 August 2005 - 08:24 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, for those registry deletions you just tried deleting in BLUE, I want you to get a program to do it if any other entries are giving you problems. Download RegLite and install it. Run it and all you have to do is put the full path of the registry entry. So for example, for the first one copy and paste this into the address field:

HKEY_LOCAL_MACHINE\SOFTWARE\

and hit the Go button. Try deleting the Altnet entry. If it gives you problems, right click on it and try changing the permission through there. Try deleting again. Repeat this for any other entries that are giving you problems.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

c:\windows\ahwdiwt.exe
c:\windows\bdxnvaf.exe
c:\windows\bttlwjc.exe
c:\windows\cktmese.exe
c:\windows\djqijet.exe
c:\windows\drogwfj.exe
c:\windows\drogwfj.exe
c:\windows\eyhlaup.exe
c:\windows\fakhuwu.exe
c:\windows\gkvmrhg.exe
c:\windows\jbnjuae.exe
c:\windows\jgngugq.exe
c:\windows\ldlomwm.exe
c:\windows\ldlomwm.exe
c:\windows\lgbkgoi.exe
c:\windows\lrebvvk.exe
c:\windows\ltpktgh.exe
c:\windows\lvmgybs.exe
c:\windows\oasstgu.exe
c:\windows\qootkqm.exe
c:\windows\quimoop.exe
c:\windows\rtewlvs.exe
C:\WINDOWS\sys730.exe
C:\WINDOWS\system32\symcsvc.exe
C:\WINDOWS\system32\wi32.exe
c:\windows\tnpuocm.exe
c:\windows\udsmfsf.exe
c:\windows\uihprnl.exe
c:\windows\uiponbu.exe
c:\windows\ujjkxad.exe
c:\windows\ukeexxp.exe
c:\windows\ukeexxp.exe
c:\windows\utvmbqt.exe
c:\windows\vchjqfq.exe
c:\windows\wopqcam.exe
c:\windows\xonhqky.exe
c:\windows\yodcmvs.exe
c:\windows\yuyaskl.exe

Check and fix these in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {A4874B04-26DC-45E7-B0E8-9DA757CB5449} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4874B04-26DC-45E7-B0E8-9DA757CB5449} - (no file) (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast....SBFullSInst.cab

After all that's done, restart and post a new HijackThis log.
  • 0

#8
david_s
Posted 06 August 2005 - 10:47 AM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I downloaded RegLite and started deleting those registry keys by hand. I then realized that those keys were owned by one of the other users of the computer (and adminstrator had no access to those keys), so I logged in as the other user and ran ewido. Eiwdo had no trouble deleting those keys as that user.

I cleared out 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Run' and ran KillBox.

I then fixed the things requested in HijackThis.

I then made similar changes in the other user accounts on the computer.

Everything looks pretty good now (I believe). I'm posting 4 logs, one for each account (except for adminstrator) on the computer. The '_p' log is the user account I've showed you in previous posts. The '_s' log is from the user account who owned the registry keys I couldn't delete earlier.

Thanks again for all your help.

Attached Files


  • 0

#9
david_s
Posted 06 August 2005 - 02:32 PM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I can also report that Ewido doesn't find anything on all 4 accounts.
  • 0

#10
greyknight17
Posted 06 August 2005 - 03:04 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, it seems like the _s user account is responsible for all of this. The last two had some remnants of this but not much. So from now on (until I mention something different), I want you to login to the _s account to do the scans and fixes.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and Microsoft AntiSpyware. If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [H05sRVK8V] rasetmgr.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\system32\wi32.exe
O4 - HKCU\..\Run: [sys730] C:\WINDOWS\sys730.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symcsvc.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

rasetmgr.exe
C:\WINDOWS\system32\wi32.exe
C:\WINDOWS\sys730.exe
C:\WINDOWS\system32\symcsvc.exe

Run Ewido scan and save the log.

Restart and run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. Also run Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here along with the virus scan logs (Panda, Ewido).
  • 0

Advertisements

#11
david_s
Posted 06 August 2005 - 09:59 PM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I've attached a HijackThis log from the _s account.

However, I couldn't do the TrendMicro or Panda scans. IE is acting really odd. If I hit the "scan" button on either, nothing happens (which is odd, since I've use TrendMicro during this process). In addition, if I hit Help\About, the version field is blank. Also, if I try to go to "Windows Update" I just get a blank screen.

I tried to download IE6sp1, but it said I already had a newer version installed.

Got any ideas? I'm beginning to think reloading this system is the real answer.

Thanks again for all your help.

Attached Files


  • 0

#12
greyknight17
Posted 07 August 2005 - 07:37 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try this:

Go to Start->Run and type in regsvr jscript.dll and hit OK. See if it registers it. See if Windows Update works now.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#13
david_s
Posted 08 August 2005 - 09:17 AM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
After running "regsvr32 jscript.dll", Windows Update works correctly!

I ran a TrendMicro HouseCall scan and it found a few spyware items that it cleaned. I can try to post the HTML log tonight if you'd like to see it.

I tried to run the PandaSoftware ActiveScan, but it wouldn't run. I hit "scan my pc", told it to install the ActiveX control, but it then sat there overnight. Got any ideas there?

I'll go through the Anti-Spyware Tutorial tonight.

Thanks again for all your help.
  • 0

#14
greyknight17
Posted 08 August 2005 - 09:28 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Great :tazz:

Try downloading this file and install it. Then try running Panda again.

No need for the HouseCall log. It's ok if it's cleaned. Just give me Panda if you want me to take a look at it.

If it's all clear, I will close this topic.
  • 0

#15
david_s
Posted 08 August 2005 - 07:56 PM

david_s

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Grr. Still no luck on panda. I download and ran the vb6 dlls, but nothing changed.

I searched around and found another guy with a similar problem that re-registered jscript.dll and vbscript.dll.

I tried re-registering those 2 dlls. vbscript.dll registered correctly, but jscript.dll gets an error 0x80004005 (which is odd since I jscript.dll registered fine in an earlier step we did).

Perhaps another clue is the file search window is blank (except for the annoying search assistant)?

Got any ideas?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP