Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfixer & popups [RESOLVED]

Started by mpl , Aug 08 2005 09:13 AM

  • This topic is locked This topic is locked

#16
greyknight17
Posted 08 August 2005 - 09:03 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I don't see anything that could be blocking Trackqoo. I searched online and some say you might want to check Internet Explorer's java scripting to make sure it's enabled. So go into Internet Explorer->Tools->Internet Options->Security->Custom Level and see if Java scripting is enabled. It might be active scripting, but see if there's java scripting. Only enable the safe ones first. If it still won't work, try the unsafe also, but make sure to change the setting back immediately when you finish running Trackqoo.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete MwrFRXj5l

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete these:
Preview AdService
KavSvc - see if you can find this one, if you can't, I want you to restart and try again - this one hides from us sometimes :tazz:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ and delete qygsfttn

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Uninstall Preview AdService from the Add/Remove panel.

Delete these if found:

C:\Program Files\Preview AdService\
C:\WINDOWS\jledorkzoc.exe
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\62i.dll
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\System32\nkrgu.dll
maklrn.exe
sfcueng.exe

Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK.
  • 0

Advertisements

#17
mpl
Posted 09 August 2005 - 07:00 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete MwrFRXj5l

Found and deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete these:
Preview AdService Not found

KavSvc - see if you can find this one, if you can't, I want you to restart and try again - this one hides from us sometimes :tazz:   Not found (I did a registrey search also)

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ and delete qygsfttn Found and deleted.



Uninstall Preview AdService from the Add/Remove panel. Not found

Delete these if found:

C:\Program Files\Preview AdService\ Not found
C:\WINDOWS\jledorkzoc.exe Found and deleted
C:\WINDOWS\RMAgentOutput.dll  Found and deleted

C:\WINDOWS\svcproc.exe Found and deleted

C:\WINDOWS\system32\62i.dll Found and deleted

C:\WINDOWS\SYSTEM32\datadx.dllFound and deleted

C:\WINDOWS\System32\nkrgu.dll Not found

maklrn.exe Not found

sfcueng.exe Not found


Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it.  Choose the 'Restore Original Hosts' button and press OK.

View Post


I'm unsure as to if I should run Hoster yet due to the fact that I still cannot provide you with a Trackqoo report...(I must be missing a legit file also) Let me know about this....

BTW still no popups....

Edited by mpl, 09 August 2005 - 07:02 AM.

  • 0

#18
mpl
Posted 09 August 2005 - 07:08 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
BTW,

I just found something suspect: C:\hWaitEventRetryInstall (no extension)

What's that?
  • 0

#19
greyknight17
Posted 09 August 2005 - 07:32 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I just got a reply back and was told to check your assocations.

Go to Start->Run and type in:

assoc .vbs

and hit Enter. Does it return back:

.vbs=VBSFile

If not, please post back telling me that so I will give further instructions. Run Hoster now :tazz:

Upload that suspicious file in the C: drive to http://virusscan.jotti.org and see what it reports back. When was it created? And does it have a company and description name?
  • 0

#20
mpl
Posted 09 August 2005 - 08:06 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Regarding the suspect file, apparently it's nothing.

When I go to run "assoc .vbs" I get a "file not found" error....

I'm off to run Hoster, I'll be right back.
  • 0

#21
mpl
Posted 09 August 2005 - 08:09 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok I've run Hoster.exe and restored the original hosts files.
  • 0

#22
greyknight17
Posted 09 August 2005 - 08:15 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I knew it, I knew it.... :tazz: Actually another staff here told me to check this out...I knew about these associations but the light bulb never went off on my head until he told me ;)

OK, I think we got it now. Download this file and unzip it. Run that .bat file (I think it's a .bat file - just double click on it). It should open and close immediately.

Boot into Safe Mode. Give me a new WinPFind log - save it.

Restart and now try running Trackqoo :)

Post that log along with the WinPFind log and a new HijackThis log.
  • 0

#23
mpl
Posted 09 August 2005 - 08:16 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I'm getting popups again....... but not winfixer....yet.
  • 0

#24
mpl
Posted 09 August 2005 - 08:56 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I followed the instructions above but still get the same error with Trackqoo.

Here are the other logs.



Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TWlrZQAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\maklrn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\maklrn.exe reg_run
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk....ViewerSetup.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlrZQAA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/9/2005 9:06:04 AM 199680 C:\Hoster.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex 8/9/2005 10:17:14 AM 4114 C:\WINDOWS\knarj.dll
PECompact2 8/7/2005 12:39:32 PM 15582563 C:\WINDOWS\LPT$VPN.763
qoologic 8/7/2005 12:39:32 PM 15582563 C:\WINDOWS\LPT$VPN.763
SAHAgent 8/7/2005 12:39:32 PM 15582563 C:\WINDOWS\LPT$VPN.763
UPX! 6/25/2005 4:34:10 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/7/2005 12:39:32 PM 15582563 C:\WINDOWS\VPTNFILE.763
qoologic 8/7/2005 12:39:32 PM 15582563 C:\WINDOWS\VPTNFILE.763
SAHAgent 8/7/2005 12:39:32 PM 15582563 C:\WINDOWS\VPTNFILE.763
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 11/18/1996 9:15:28 PM 748160 C:\WINDOWS\SYSTEM32\CO2C40EN.DLL
PEC2 3/31/2003 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 9/3/2004 2:03:48 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/3/2004 2:03:48 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
qoologic 9/27/2004 11:47:02 AM 6855506 C:\WINDOWS\SYSTEM32\pav.sig
aspack 9/27/2004 11:47:02 AM 6855506 C:\WINDOWS\SYSTEM32\pav.sig
SAHAgent 9/27/2004 11:47:02 AM 6855506 C:\WINDOWS\SYSTEM32\pav.sig
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
KavSvc 8/5/2005 6:24:48 AM 34816 C:\WINDOWS\SYSTEM32\ukeyroo.dll
69.59.186.63 8/5/2005 6:24:48 AM 34816 C:\WINDOWS\SYSTEM32\ukeyroo.dll
209.66.67.134 8/5/2005 6:24:48 AM 34816 C:\WINDOWS\SYSTEM32\ukeyroo.dll
testpopup 8/5/2005 6:24:48 AM 34816 C:\WINDOWS\SYSTEM32\ukeyroo.dll
web-nex 8/5/2005 6:24:48 AM 34816 C:\WINDOWS\SYSTEM32\ukeyroo.dll
yourkey 8/5/2005 6:24:48 AM 34816 C:\WINDOWS\SYSTEM32\ukeyroo.dll
winsync 3/31/2003 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder for system and hidden files within the last 60 days...
8/5/2005 10:37:52 AM 0 C:\WINDOWS\inf\oem10.inf
8/7/2005 3:31:16 PM 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_6.cab
6/24/2005 5:11:08 PM 23148 C:\WINDOWS\system32\Atmenuxx.GID
8/9/2005 9:29:50 AM 20602 C:\WINDOWS\system32\FFASTLOG.TXT
8/9/2005 10:29:26 AM 8192 C:\WINDOWS\system32\config\default.LOG
8/9/2005 10:30:00 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/9/2005 10:29:36 AM 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/9/2005 10:30:00 AM 65536 C:\WINDOWS\system32\config\software.LOG
8/9/2005 10:29:42 AM 806912 C:\WINDOWS\system32\config\system.LOG
8/7/2005 5:31:32 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\44c3d992-3e53-4dd4-b452-06d7f126d80c
8/7/2005 5:31:32 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/9/2005 9:47:48 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0b4b793a-3c8a-4366-9fe7-02a6b4680ef8
7/9/2005 9:47:48 AM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/5/2005 10:53:26 PM 192 C:\WINDOWS\Tasks\RUTASK.job
8/9/2005 10:28:34 AM 6 C:\WINDOWS\Tasks\SA.DAT
8/8/2005 6:46:00 AM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
8/8/2005 6:46:00 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
8/8/2005 6:46:12 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01URGHAZ\desktop.ini
8/8/2005 6:46:08 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0XYN377Y\desktop.ini
8/8/2005 6:46:04 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CX2FMF27\desktop.ini
8/8/2005 6:46:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YPANWDYB\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/18/2004 8:28:18 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp officejet 4100 series.lnk
9/18/2004 8:24:16 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
9/18/2004 9:19:22 PM 761 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
9/18/2004 9:19:12 PM 761 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk
9/18/2004 9:19:12 PM 736 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
8/5/2005 9:54:14 PM 81920 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tadu.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/1/2005 11:23:54 AM 543 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
9/18/2004 10:31:32 PM 0 C:\Documents and Settings\Mike\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0E1230F8-EA50-42A9-983C-D22ABC2EED3B} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KavSvc C:\WINDOWS\system32\maklrn.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/9/2005 10:44:45 AM
  • 0

#25
greyknight17
Posted 09 August 2005 - 08:58 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, just give me those logs (WinPFind - Safe Mode, and HijackThis and Trackqoo in Normal Mode).
  • 0

Advertisements

#26
mpl
Posted 09 August 2005 - 09:09 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I still cant run Trackqoo & assoc.vbs

I'm getting popups but not so frequently as before.
  • 0

#27
mpl
Posted 09 August 2005 - 09:37 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Also,

What is tadu.exe ? I tried to google it but no results.
  • 0

#28
greyknight17
Posted 09 August 2005 - 09:38 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
tadu.exe is one of the bad files we need to remove. It's just that there are a few of these that help regenerate each other if they are not removed properly.

OK, I guess we'll have to use some other program for now :tazz:

But before we let that go, can you run do this again:

Go to Start->Run and type in:

assoc .vbs

and hit Enter. Does it return back:

.vbs=VBSFile

I'll look into this further to see how we can fix this up so Trackqoo can run.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete KavSvc

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop cmdService
sc delete cmdService
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Go to Start->Run and type in services.msc and hit OK. Then look for Command Service (cmdService) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in cmdService and hit OK.

Check and fix this in HijackThis:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\maklrn.exe reg_run
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlrZQAA\command.exe

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say No:

C:\WINDOWS\knarj.dll
C:\WINDOWS\SYSTEM32\ukeyroo.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tadu.exe
C:\WINDOWS\system32\maklrn.exe
C:\WINDOWS\TWlrZQAA\command.exe

Delete this folder if found -> C:\WINDOWS\TWlrZQAA\

Restart.

Download FindQoologic-Narrator.zip at http://forums.net-in...=post&id=134981 and save it to your Desktop. Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic. Now unzip the file contents of that zip file into that folder. Locate and double click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply along with a new HijackThis log and WinPFind log.
  • 0

#29
mpl
Posted 09 August 2005 - 10:18 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete KavSvc

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.


I cannot locate KavSvc in this registry. I also searched the registry for "KavSvc" and came up with nothing. Should I proceed with the other steps?
  • 0

#30
mpl
Posted 09 August 2005 - 10:26 AM

mpl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Go to Start->Run and type in services.msc and hit OK. Then look for Command Service (cmdService) and double click on it. Click on the Stop button and under Startup type, choose Disabled.



The Start, Stop, Pause & Resume buttons are not active so I just changed the Startup type to Disabled...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP