Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer2005 problem [resolved]

Started by mlese , Oct 29 2005 01:57 PM

This topic is locked

#31
mlese

Posted 11 November 2005 - 06:22 PM

Member

Topic Starter
Member
32 posts

Here's my latest Ewido log: It still appears that there was a problem cleaning Virtumonde.

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:15:01 PM, 11/11/2005
+ Report-Checksum: 855BEE9

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\N4TJY1NF\mm[2].js -> Spyware.Chitika : Cleaned with backup

::Report End

#32
g2i2r4

Posted 12 November 2005 - 12:16 PM

retired HiJack Helper

Retired Staff
5,080 posts

Copy the red text below to notepad.
Save it as fix.reg to your desktop.
Ensure the "Save as" type is set to "all files"

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

***

Please rerun Ewido to see if it's clean now.

#33
mlese

Posted 12 November 2005 - 09:01 PM

Member

Topic Starter
Member
32 posts

I did what you suggested. Here's the Ewido file. I'm thinking that it looks good. However, my computer is very very slow now, even when I'm not connecting to the Internet. Any ideas??? Thanks. ALSO, I ran microsoft antispyware after Ewido. According to that report, virtumonde is still on the computer (related to the msevents, which is what you had cleaned in my registry.... I'll attach a copy of that report too. I'm sure you understand what's going on here, because I certainly don't. What is MsEvents??? Thanks again. (And sorry this is taking so much of your time!!)

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:53:47 PM, 11/12/2005
+ Report-Checksum: B054DE98

+ Scan result:

C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup

::Report End

Spyware Scan Details
Start Date: 11/12/2005 9:03:54 PM
End Date: 11/12/2005 9:17:41 PM
Total Time: 13 mins 47 secs

Detected Threats

Virtumondo Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1 MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents MSEvents Object
HKEY_CLASSES_ROOT\MSEvents.MSEvents\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_CLASSES_ROOT\MSEvents.MSEvents\CurVer MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\MSEvents.MSEvents MSEvents Object
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}

Detected Spyware Cookies
No spyware cookies were found during this scan.

I ALSO RAN HIJACK...here's the log. I WAS NOT ABLE TO RUN PANDA SCAN.
Logfile of HijackThis v1.99.1
Scan saved at 9:33:58 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaud....0.60/setup.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Admin\Desktop\cwshredder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Edited by mlese, 12 November 2005 - 09:35 PM.

#34
g2i2r4

Posted 13 November 2005 - 07:05 AM

retired HiJack Helper

Retired Staff
5,080 posts

Time is not an issue here. I'm happy to help you.

Let's do it manually.

disable SpyCatcher, Spybot and AntiSpyware.

Download and install Registrar Lite.

Let's go search the Registry for MSEvents
Please be very carefull what you do. A corrupt Registry is a broken down machine.

Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.

Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.

Press the magnifying glass
In the box 'text to search for' type
MSEvents
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Right-click and choose delete/remove
delete key and value.

Repeat that for all entries.
Then close Registrar Lite.

***

Rerun AntiSpyware. See what it says.
It feels like something is putting this back again and again (it belongs to the infection we are dealing with).

#35
mlese

Posted 13 November 2005 - 08:15 AM

Member

Topic Starter
Member
32 posts

Before I mess with the Registry I want to make sure I'm understanding what to do. When I ran Reglite for MSEvents, it said there were 5 Key name matches, 5 Value name matches, and 5 Data matches (thus, there were fifteen rows). I was afraid to delete the value name matches and data matches because in the spreadsheet, these rows had the word "default" in parentheses at the end of the row. So, just to clarify...I should delete/remove all fifteen rows, is that right? THANKS!

#36
g2i2r4

Posted 13 November 2005 - 08:35 AM

retired HiJack Helper

Retired Staff
5,080 posts

15 you say.. AntiSpyware found 14 :tazz:

I'd like to see them.

Open Registrar Lite.

Press the magnifying glass
In the box 'text to search for' type
MSEvents
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and close the bookmarks window.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.

Let's see what else is found.

#37
mlese

Posted 13 November 2005 - 03:06 PM

Member

Topic Starter
Member
32 posts

This is confusing. When I highlight a row and click the star icon, I get a HUGE spreadsheet with no row highlighted. I'm not sure what I should be copying and pasting. (You indicated that I should be on the same row, but as I said, nothing is highlighted. I will copy and paste the results from Registrar Lite and continue to see if I can figure out what you mean. Thanks. (I guess i can't copy and past the results)

#38
g2i2r4

Posted 13 November 2005 - 03:13 PM

retired HiJack Helper

Retired Staff
5,080 posts

Highlight a row in the right hand side of the window and right-click, choose 'copy'.

Then go to an empty notepad file and rightclick, choose 'paste'.

Let me know if that works.

#39
mlese

Posted 13 November 2005 - 03:56 PM

Member

Topic Starter
Member
32 posts

I can't seem to get this to work. I can't use the copy command in registrar lite. When I copy the rows to the bookmarks spreadsheet, it's added to the bottom of a bunch of stuff. From there, when I right click on a row, I don't get a regular copy command, but rather, "copy to clipboard". I highlighted all of the new rows to be copied to the clipboard. How do I get them from the clipboard to notepad? When I hit "paste" in notepad, nothing happens (so I obviously haven't highlighted them from the clipboard). I don't know how else to explain this, but I just can't seem to copy the results from Registrar Lite. I'll keep messing with this.

#40
g2i2r4

Posted 13 November 2005 - 04:11 PM

retired HiJack Helper

Retired Staff
5,080 posts

You can see the window is divided in two halfs.
On the side that has the 'key' colomn you can first select a row by just clicking it once.
Then copy it to the clipboard.

In Notepad choose paste.

You can do this one by one.

Let me know if it works like this.

Edited by g2i2r4, 13 November 2005 - 04:12 PM.

#41
mlese

Posted 13 November 2005 - 05:12 PM

Member

Topic Starter
Member
32 posts

Still no luck. After running the word MSEvents in the search of Registrar Lite, I get a spreadsheet called Advanced Registry Search. This contains fifteen rows. The title of the columns are: "Match", "machine", "key", "value", etc. I can highlight each row, however, when I right click my mouse, I get the following five options (none of which is copy):
1.) Jump to
2.) Bookmark
3.) Remove from search results
4.) Delete selected registry keys and values
5.) Replace

If I select Bookmark, it copies the line to a "Bookmark" database that already contains hundreds of entries.

When I "x" out of that window, I get a spreadsheet called "Registrar Registry Manager". This spreadsheet contains the same headings as in your example. It's easy enough to copy and paste those results (but I don't think this is what you want...I think you want the spreadsheet that contains the fifteen rows, right?:

HKEY_LOCAL_MACHINE\HARDWARE

HKEY_LOCAL_MACHINE\SAM

HKEY_LOCAL_MACHINE\SECURITY

HKEY_LOCAL_MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SYSTEM

#42
g2i2r4

Posted 14 November 2005 - 02:34 AM

retired HiJack Helper

Retired Staff
5,080 posts

Finally I found out what going on! They've update to a new version, and that one works slightly different.
Please give it one more try.

Go to start - programs – Registrar Registry Manager - Registrar Registry Manager

Press the magnifying glass
In the box 'text to search for' type
MSEvents
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Right click a row. Choose ‘jump to’ *
A second window (advanced registry search) will open
Press ctrl+C to copy the row.

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and go to the first window with the search results.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.

Thanks for hanging in there. :tazz:

Edited by g2i2r4, 14 November 2005 - 03:16 AM.

#43
mlese

Posted 14 November 2005 - 08:56 PM

Member

Topic Starter
Member
32 posts

Below is what I was able to copy. However, I noticed that the entire row was not copied. For example, I noticed that the only information copied into wordpad was the information contained in the registrar columns labeled "Key" and "Value name". The information in the columns with the heading "Data" or "type" was not copied. Here is what I was able to copy. If you need the information from the "date" field or "type" field, I can always write it down and provide it to you. Thanks.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID\\(default)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID\\(default)

#44
g2i2r4

Posted 15 November 2005 - 07:11 AM

retired HiJack Helper

Retired Staff
5,080 posts

Okay, it's safe to remove all of them.
Right click a row for a key and select 'delected selected registry keys and values'
Repeat it for all MSEvents keys found.

then close Registrar Lite

Rerun AntiSpyware again.
Let me know what it says now.

#45
mlese

Posted 15 November 2005 - 08:00 PM

Member

Topic Starter
Member
32 posts

Here is the result before I deleted the "MSEvents items" in the registry:

Spyware Scan Details
Start Date: 11/15/2005 2:00:28 AM
End Date: 11/15/2005 2:14:43 AM
Total Time: 14 mins 15 secs

Detected Threats

Virtumondo.C Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1 MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents MSEvents Object
HKEY_CLASSES_ROOT\MSEvents.MSEvents\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_CLASSES_ROOT\MSEvents.MSEvents\CurVer MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\MSEvents.MSEvents MSEvents Object
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID {8DBF02DA-4360-4A7E-BEA1-347B87816327}

Spyware Scan Details
Start Date: 11/15/2005 6:47:06 PM
End Date: 11/15/2005 7:00:07 PM
Total Time: 13 mins 1 secs

HERE ARE THE RESULTS AFTER DELETING THE ENTRIES:

Detected Threats

Virtumondo.C Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents

Detected Spyware Cookies
No spyware cookies were found during this scan.

Should I run hijack this or ewido??? Should I try and run panda scan again?

Also...just so you know...I'll be away from my computer for the next three days. I should be back on Saturday. THANKS.

Edited by mlese, 15 November 2005 - 08:02 PM.