Solved

Requesting assistance removing malware: Homepage redirects, pop-ups, spyware, etc.

Posted on 2004-08-18
17
3,793 Views
Last Modified: 2013-12-04
First off, background:

I'm visiting the in-laws who seem to be having problems with their PC. Spyware, Virus's, and Hijack malware.

I am non-technical, but doing my best to help them out.  They are getting all sorts of gambling/porn pop-ups and homepage redirects. Also, some pages - Google, etc - are being blocked or redirected.

My father in-law has purchased something called SpyBlocs (v2.0) which I've tried using, but seems to never finish it's scan. Though it does claim to have found spyware processes and files, it keep scaning indefinately without allowing me the option of cleaning what it has found. I'm not sure how effective/legit this program is.

I browsed this site, but there seem to be many different steps to take depending on the specific type of malware, which is why I'm posting this question.  

I started my clean-up process with Adaware and cleared out over 600 critical items. Unfortunately, each time on reboot I seem to be repeating the removal of 10-12 critical items which seem to respawn on reboot.

I've also downloaded and used CWShredder (v1.59.1) and Hijack This.  CWShredder has removed a couple items, but for some reason I can't get the program to update. It keeps telling me the two update sites are busy, so I'm not sure how current the version I am using is. The latest scans I've done with CWS says the system is clean.

I have turned off the restore function in XP. Upon rebooting, I am still getting the Adaware critical messages, homepage redirects and pop-ups. I'm unable to reset the homepage from "C:\searchpage.html", which I'm guessing is stored on the PC because it pops up regardless of whether I'm connected to the internet or not. There is also an extra taskbar in IE which has a search field and 8 tab buttons, with headings, which change depending on what I am viewing.

Here's my Hijack This log file. The problem is I do not know what to keep and what to delete. Any help, steps I should take and in what order, would be greatly appreciated.  (Also, I may need to ask a follow-up question if the removal steps are too complicated for a non-techie like me.) Thank you very much for your assistance.

Logfile of HijackThis v1.98.2
Scan saved at 5:53:58 PM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\AccessMedia\AMTray.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\WINDOWS\System32\msconfg.exe
C:\Program Files\SpyBlocs\SpyBlocs.exe
C:\WINDOWS\SYSTEM32\qttask.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\cdbn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\Common Files\WinAntiVirus 2004\VapFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xspbvgafiyahqfrza.uk/WT6Dlbj/KktXNlmjPKgfve3veaPe4G7c8uRqG9F9ZMc1tecttUD4Vv8DZhj0eBu5.html
O2 - BHO: (no name) -  {69AA4156-B739-3FE1-8750-67550ED47D1E} - (no file)
O2 - BHO: (no name) -  {7B55BB05-0B4D-44FD-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) -  {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - (no file)
O2 - BHO: (no name) -  {C86B1EDC-63E3-2602-D908-D4FAA4BC5C73} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [bubuvej] C:\WINDOWS\bubuvej.exe
O4 - HKLM\..\Run: [nyzapop] C:\WINDOWS\nyzapop.exe
O4 - HKLM\..\Run: [pevuhut] C:\WINDOWS\pevuhut.exe
O4 - HKLM\..\Run: [jmdwhwj] C:\WINDOWS\jmdwhwj.exe
O4 - HKLM\..\Run: [vapozav] C:\WINDOWS\vapozav.exe
O4 - HKLM\..\Run: [dirodkn] C:\WINDOWS\dirodkn.exe
O4 - HKLM\..\Run: [nknqrqd] C:\WINDOWS\nknqrqd.exe
O4 - HKLM\..\Run: [petqlsx] C:\WINDOWS\petqlsx.exe
O4 - HKLM\..\Run: [nctwbut] C:\WINDOWS\nctwbut.exe
O4 - HKLM\..\Run: [AccessMedia] "C:\Program Files\AccessMedia\AccessMedia.exe" /H
O4 - HKLM\..\Run: [AccessMedia Tray] "C:\Program Files\AccessMedia\AMTray.exe" /H
O4 - HKLM\..\Run: [AccessMedia P2P Loader] "C:\Program Files\p2pnetworks\amp2pl.exe" /H
O4 - HKLM\..\Run: [zsfwrib] C:\WINDOWS\zsfwrib.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [each pile] C:\PROGRA~1\VCCLOC~1\Barb meet.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cakepartmealhelp] C:\Documents and Settings\All Users\Application Data\Enc four cake part\body byte.exe
O4 - HKLM\..\RunServices: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Idur] C:\Documents and Settings\default\Application Data\rtoa.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Nflow] C:\WINDOWS\System32\cdbn.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll

0
Comment
Question by:Stabo66
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 250 total points
ID: 11837365
Hmmm have you ran

 Also use SpyBot and AdAware in tandem. Neither is 100% accurate but the two of them together get pretty close to 100% accuracy.

spybot here
http://www.safer-networking.org/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Not Free
Spycop:
http://www.spycop.com/
==========================

Could be a Broweser high jacker behind the problem

This little didy will get rid of some of the more well known Home page Hijackers.
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html 
here is a description of what it does
http://www.softpedia.com/public/cat/10/17/10-17-143.shtml
Features:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

download here
http://www.spychecker.com/download/download_coolwebshredder.html
----------------------------------

Could be a Broweser high jacker behind the problem
Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.
=======================

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 250 total points
ID: 11837367
Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 250 total points
ID: 11837388
I don't know what this is

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

or these

O2 - BHO: (no name) -  {69AA4156-B739-3FE1-8750-67550ED47D1E} - (no file)
O2 - BHO: (no name) -  {7B55BB05-0B4D-44FD-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) -  {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - (no file)
O2 - BHO: (no name) -  {C86B1EDC-63E3-2602-D908-D4FAA4BC5C73} - (no file)

or these


O4 - HKLM\..\Run: [nyzapop] C:\WINDOWS\nyzapop.exe
O4 - HKLM\..\Run: [pevuhut] C:\WINDOWS\pevuhut.exe
O4 - HKLM\..\Run: [jmdwhwj] C:\WINDOWS\jmdwhwj.exe
O4 - HKLM\..\Run: [vapozav] C:\WINDOWS\vapozav.exe
O4 - HKLM\..\Run: [dirodkn] C:\WINDOWS\dirodkn.exe
O4 - HKLM\..\Run: [nknqrqd] C:\WINDOWS\nknqrqd.exe
O4 - HKLM\..\Run: [petqlsx] C:\WINDOWS\petqlsx.exe
O4 - HKLM\..\Run: [nctwbut] C:\WINDOWS\nctwbut.exe

this one is suspect

O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe

and so is this one

O4 - HKCU\..\Run: [Nflow] C:\WINDOWS\System32\cdbn.exe



0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 11837397
And this

O4 - HKCU\..\Run: [Idur] C:\Documents and Settings\default\Application Data\rtoa.exe\
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 11837400
You have way to many things on in your starup. Use MSCONFIG Start > Run msconfig to limit what is lauched at startup
0
 

Author Comment

by:Stabo66
ID: 11839597
Thanks CrazyOne for your assistance.

I've gone into msconfig - startup - and selected "disable all".  Most all of them seem to have stayed off, but msconfig.exe ends up re-enabling iteself. Not sure if this should be happening after I've disabled it or not.

After disabling, the results when I run HijackThis are noticebly fewer.

I've downloaded and run SpyBot - It identified 275 red items - all of which I've tried to delete. There are 32 items which Spybot seems unable to remove.  I've listed them in the log below.  Spybot keeps asking me to reboot, & rescan, but each time I do, I identifies 42 items of which it can only clean 10, leaving the 32 problem ones. Rebooting again does the same.

I've also run CWShredder which says I'm clean, and Adaware which now says I'm clean.  So I guess I only have to worry about those 32 items that SpyBot can't seem to clean.

I am curious if/when I go back into msconfig and re-enable, will I be reactivating a bunch of these pesky programs?
If so, how should I proceed? Compare HijackThis logs before and after I re-enable and delete the differences, or what? Hate to delete something important.  Also, when I re-anable do I need to run all these programs again?

Thanks again for any and all assistance !!!!

Anyway, I'm attaching both my Spybot log and Hijack logs below:

HIJACK THIS LOG WITH STARTUP DISABLED:

Logfile of HijackThis v1.98.2
Scan saved at 2:47:17 AM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\System32\msconfg.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\notepad.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.pkntjfbldtacvogfxtejnicur.biz/WT6Dlbj/KktXNlmjPKgfve3veaPe4G7c8uRqG9F9ZMd3969sU_kGPf8DZhj0eBu5.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [each pile] C:\PROGRA~1\VCCLOC~1\Barb meet.exe
O4 - HKLM\..\RunServices: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll


SPYBOT LOG WITH STARTUP DISABLED: (Note, the "fixed" stuff reappears upon reboot)

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\180solutions

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\DialerConn1

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\PRPI

Download Accelerator Plus ads: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\Software\SpeedBit\Download Accelerator\ADS\SecondMedia

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSFileList

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSAds

Download Accelerator Plus ads: Default ad category (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSDefaultCategory=Default

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-21-515967899-1993962763-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\egroup

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\New Dialup Connection

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\SiteIcons

WebDialer:  Executable (File, fixing failed)
  C:\WINDOWS\5-1-6-26.exe

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\eConnect


--- Spybot - Search && Destroy version: 1.3  ---
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Trojans.sbi
2004-08-11 Includes\Tracks.uti



0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 11840231
Hello Stabo66 =)

Although u have already got a Great assistance from CO.... but there are somethings which i want to add here !!!!!!
*CO plzz dont mind, but i cannot stop myself in case if hijakcthis =|*

So first of all,,,, goto Start>run>msconfig>Startup
and enable the entries for ur Antivirus and Firewall softwares
leave the other ones unchecked if u dont recognise them !!!!

restart and make sure that u have these five tools installed on ur system...
==========================================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
Stinger >> http://vil.nai.com/vil/stinger/
==========================================================================
then Disable ur messenger service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/

then install the above tools and then Turn off ur system restore if its enabled >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

after that Fix teh follwoing lines in Hijackthis scan !!!!

========================================================
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [each pile] C:\PROGRA~1\VCCLOC~1\Barb meet.exe
O4 - HKLM\..\RunServices: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
===============================================================
then....

1. Restart ur machine
2. Boot into safemode and Login as Administrator (How to get into safemode >> http://www.computerhope.com/issues/chsafe.htm
)
3. Run the AntiVirus tool(stinger) and delete all viruses it found
4. Run the Spyware Removal tools(the all above five tools) and delete everything they detect
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. goto C:\Windows\System32 and delete the file msconfg.exe (its not the original msconfig.exe file)
10. Reboot back in Normal Mode and check if problems are gone
11. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.


!! GOOD LUCK !!
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 11840324
There is one thing that always bothers me. I have yet to see where turning off System Retore does anything to help unless the problem is expicitly within it. Most of the time it is not. With the amount of Restore Dates that XP likes to keep it really is not all that neccassary to turn it of. And if unless an AV or a Malware scanner finds something in the System Restore then why turn it off. And if it does find some all one needs to so is to delete the RPx file that was identified.

I agree these two don't belong

O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11840406
I dont know if u will agree with me or not,,, but i have seen so many cases where with System restore turned on, most of malware comes back even if they are not reported lying in any of the restore points.... !!!
and when we turn off system restore, 90% of them go away from the system.... :)

I hope u didn't mind my interference in this question =\
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 11840438
Ummm I disgree. The System Retore is checked by at least I know from Norton and SpyWare. It depends if you set them up to first check zip files or any other compressed file.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11840509
Hi! ALL!

A couple of things:
>Stabo66
I could be mistaken; but, this does not look like a complete HijackThis log -
no 016, 018, 020, etc. entries.

Also, see the following for information concerning winantivirus 2004 and the 010 entries in your log:
(O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll)
http://www.angeltowns.com/members/zupe/lsps.html
Also:
http://forum.aumha.org/viewtopic.php?p=33464
And:
http://www.tek-tips.com/viewthread.cfm?qid=744567

Just some information!

>CrazyOne
Good to see you!
Hope things are going well!

Cheers and good luck!
RF
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 11840560
HI RF
0
 

Author Comment

by:Stabo66
ID: 11846405
Thank you all for your assistance. Spend a few hours this morning trying to get all your suggestions completed.  
Since I'd already used CrazyOne's suggestions to remove 95% of the problems (over 1000 items in total), I tried SheharyaarSaahil's suggestions next.  Everything seems to work well except that SpySweeper keeps freezing.  

Unfortunately, I'm leaving town shortly so the inlaws will have to make do with the incremental improvements.  I still haven't been able to rid the PC of  "C:\searchpage.html" which is a rather annoying hijack.  I'll distribute points now because I'm not sure if I'll have enough time to check any updates I get from the community until next week sometime.  If I do get more feedback and suggestions I'll either try doing them myself, or talk my father-in-law through the process over the phone.

I'm attaching my latest HijackThis log file below.  In response to Rossfingal's comment above - yes, I've been posting my entire HijackThis log file. I'm not sure why there are no 016, 018, or 020 entries, though I don't know what those are.

SpyBot is also still getting problems that it can't seem to clean. I'll attach that log in a separate comment below.

Once again, a big THANK YOU to everyone that's helped me. Though I haven't gotten all the darn bugs yet, I've managed to get 98% of them.


Logfile of HijackThis v1.98.2
Scan saved at 2:15:08 PM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\Common Files\WinAntiVirus 2004\VapFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fwiqgnwvfpfjqatojf.com/WT6Dlbj/KktXNlmjPKgfve3veaPe4G7c8uRqG9F9ZMftWRoJFl0N1f8DZhj0eBu5.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Configuration Loader] chkprocess.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11846473
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
============================================

fix these two lines(these were not present before), and this Rundll16.exe is a variant of Backdoor.Sdbot virus, see here >> http://www.liutilities.com/products/wintaskspro/processlibrary/rundll16/

so run soem online virus scans after fixing those two lines, and run stinger and ur Antivirus software in safemode to make sure ur system is Really Clean !!!!!!

CHECK FOR ONLINE VIRUS SCAN:
--------------------------------------
1. http://us.mcafee.com/root/mfs/default.asp?cid=9059 
2. http://security.symantec.com/
3. http://housecall.trendmicro.com/ 
4. http://www.pandasoftware.com/activescan/com/activescan_principal.htm
5. http://www.pcpitstop.com/antivirus/default.asp

post back if u have any more confusion or problem :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11846492
and yes this line also was not included in the first LOG >. O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

this is also a nasty thingy >> http://www.liutilities.com/products/wintaskspro/processlibrary/uptodate/
so Fix it Also and remove this file if its present in ur C:\Windows folder !!!!!
0
 

Author Comment

by:Stabo66
ID: 11846523
Here is my SpyBot log:

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\180solutions

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\DialerConn1

BrowserAid.LetsSearch: Autorun settings (Registry value, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunWindowsUpdate

BrowserAid.RunDll: Autorun settings (Registry value, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll16

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\PRPI

Download Accelerator Plus ads: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\Software\SpeedBit\Download Accelerator\ADS\SecondMedia

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSFileList

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSAds

Download Accelerator Plus ads: Default ad category (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSDefaultCategory=Default

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-21-515967899-1993962763-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\egroup

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\New Dialup Connection

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\SiteIcons

WebDialer:  Executable (File, fixing failed)
  C:\WINDOWS\5-1-6-26.exe

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\eConnect


--- Spybot - Search && Destroy version: 1.3  ---
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Trojans.sbi
2004-08-11 Includes\Tracks.uti
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11846573
Stabo66,,,,, the failing if fixing these registries might be due to permissions !!!!

to check this goto Start>Run>regedit
and goto the locations which Spybot is failing to remove,,,, like e.g >> HKEY_USERS\S-1-5-18\Software\180solutions
right click the 180Solutions folder and click Permissions,,,, and make sure NOTHING shud be Denied here, if it is then untick it and take the full control of this folder !!!!

now u can either manually delete this folder, or can run spybot to delete them..... and do the same for other folders also :)
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question