Solved

Requesting assistance removing malware: Homepage redirects, pop-ups, spyware, etc.

Posted on 2004-08-18
17
3,779 Views
Last Modified: 2013-12-04
First off, background:

I'm visiting the in-laws who seem to be having problems with their PC. Spyware, Virus's, and Hijack malware.

I am non-technical, but doing my best to help them out.  They are getting all sorts of gambling/porn pop-ups and homepage redirects. Also, some pages - Google, etc - are being blocked or redirected.

My father in-law has purchased something called SpyBlocs (v2.0) which I've tried using, but seems to never finish it's scan. Though it does claim to have found spyware processes and files, it keep scaning indefinately without allowing me the option of cleaning what it has found. I'm not sure how effective/legit this program is.

I browsed this site, but there seem to be many different steps to take depending on the specific type of malware, which is why I'm posting this question.  

I started my clean-up process with Adaware and cleared out over 600 critical items. Unfortunately, each time on reboot I seem to be repeating the removal of 10-12 critical items which seem to respawn on reboot.

I've also downloaded and used CWShredder (v1.59.1) and Hijack This.  CWShredder has removed a couple items, but for some reason I can't get the program to update. It keeps telling me the two update sites are busy, so I'm not sure how current the version I am using is. The latest scans I've done with CWS says the system is clean.

I have turned off the restore function in XP. Upon rebooting, I am still getting the Adaware critical messages, homepage redirects and pop-ups. I'm unable to reset the homepage from "C:\searchpage.html", which I'm guessing is stored on the PC because it pops up regardless of whether I'm connected to the internet or not. There is also an extra taskbar in IE which has a search field and 8 tab buttons, with headings, which change depending on what I am viewing.

Here's my Hijack This log file. The problem is I do not know what to keep and what to delete. Any help, steps I should take and in what order, would be greatly appreciated.  (Also, I may need to ask a follow-up question if the removal steps are too complicated for a non-techie like me.) Thank you very much for your assistance.

Logfile of HijackThis v1.98.2
Scan saved at 5:53:58 PM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\AccessMedia\AMTray.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\WINDOWS\System32\msconfg.exe
C:\Program Files\SpyBlocs\SpyBlocs.exe
C:\WINDOWS\SYSTEM32\qttask.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\cdbn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\Common Files\WinAntiVirus 2004\VapFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xspbvgafiyahqfrza.uk/WT6Dlbj/KktXNlmjPKgfve3veaPe4G7c8uRqG9F9ZMc1tecttUD4Vv8DZhj0eBu5.html
O2 - BHO: (no name) -  {69AA4156-B739-3FE1-8750-67550ED47D1E} - (no file)
O2 - BHO: (no name) -  {7B55BB05-0B4D-44FD-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) -  {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - (no file)
O2 - BHO: (no name) -  {C86B1EDC-63E3-2602-D908-D4FAA4BC5C73} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [bubuvej] C:\WINDOWS\bubuvej.exe
O4 - HKLM\..\Run: [nyzapop] C:\WINDOWS\nyzapop.exe
O4 - HKLM\..\Run: [pevuhut] C:\WINDOWS\pevuhut.exe
O4 - HKLM\..\Run: [jmdwhwj] C:\WINDOWS\jmdwhwj.exe
O4 - HKLM\..\Run: [vapozav] C:\WINDOWS\vapozav.exe
O4 - HKLM\..\Run: [dirodkn] C:\WINDOWS\dirodkn.exe
O4 - HKLM\..\Run: [nknqrqd] C:\WINDOWS\nknqrqd.exe
O4 - HKLM\..\Run: [petqlsx] C:\WINDOWS\petqlsx.exe
O4 - HKLM\..\Run: [nctwbut] C:\WINDOWS\nctwbut.exe
O4 - HKLM\..\Run: [AccessMedia] "C:\Program Files\AccessMedia\AccessMedia.exe" /H
O4 - HKLM\..\Run: [AccessMedia Tray] "C:\Program Files\AccessMedia\AMTray.exe" /H
O4 - HKLM\..\Run: [AccessMedia P2P Loader] "C:\Program Files\p2pnetworks\amp2pl.exe" /H
O4 - HKLM\..\Run: [zsfwrib] C:\WINDOWS\zsfwrib.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [each pile] C:\PROGRA~1\VCCLOC~1\Barb meet.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cakepartmealhelp] C:\Documents and Settings\All Users\Application Data\Enc four cake part\body byte.exe
O4 - HKLM\..\RunServices: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Idur] C:\Documents and Settings\default\Application Data\rtoa.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Nflow] C:\WINDOWS\System32\cdbn.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll

0
Comment
Question by:Stabo66
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 250 total points
Comment Utility
Hmmm have you ran

 Also use SpyBot and AdAware in tandem. Neither is 100% accurate but the two of them together get pretty close to 100% accuracy.

spybot here
http://www.safer-networking.org/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Not Free
Spycop:
http://www.spycop.com/
==========================

Could be a Broweser high jacker behind the problem

This little didy will get rid of some of the more well known Home page Hijackers.
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html
here is a description of what it does
http://www.softpedia.com/public/cat/10/17/10-17-143.shtml
Features:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

download here
http://www.spychecker.com/download/download_coolwebshredder.html
----------------------------------

Could be a Broweser high jacker behind the problem
Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.
=======================

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 250 total points
Comment Utility
Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 250 total points
Comment Utility
I don't know what this is

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

or these

O2 - BHO: (no name) -  {69AA4156-B739-3FE1-8750-67550ED47D1E} - (no file)
O2 - BHO: (no name) -  {7B55BB05-0B4D-44FD-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) -  {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - (no file)
O2 - BHO: (no name) -  {C86B1EDC-63E3-2602-D908-D4FAA4BC5C73} - (no file)

or these


O4 - HKLM\..\Run: [nyzapop] C:\WINDOWS\nyzapop.exe
O4 - HKLM\..\Run: [pevuhut] C:\WINDOWS\pevuhut.exe
O4 - HKLM\..\Run: [jmdwhwj] C:\WINDOWS\jmdwhwj.exe
O4 - HKLM\..\Run: [vapozav] C:\WINDOWS\vapozav.exe
O4 - HKLM\..\Run: [dirodkn] C:\WINDOWS\dirodkn.exe
O4 - HKLM\..\Run: [nknqrqd] C:\WINDOWS\nknqrqd.exe
O4 - HKLM\..\Run: [petqlsx] C:\WINDOWS\petqlsx.exe
O4 - HKLM\..\Run: [nctwbut] C:\WINDOWS\nctwbut.exe

this one is suspect

O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe

and so is this one

O4 - HKCU\..\Run: [Nflow] C:\WINDOWS\System32\cdbn.exe



0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
And this

O4 - HKCU\..\Run: [Idur] C:\Documents and Settings\default\Application Data\rtoa.exe\
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
You have way to many things on in your starup. Use MSCONFIG Start > Run msconfig to limit what is lauched at startup
0
 

Author Comment

by:Stabo66
Comment Utility
Thanks CrazyOne for your assistance.

I've gone into msconfig - startup - and selected "disable all".  Most all of them seem to have stayed off, but msconfig.exe ends up re-enabling iteself. Not sure if this should be happening after I've disabled it or not.

After disabling, the results when I run HijackThis are noticebly fewer.

I've downloaded and run SpyBot - It identified 275 red items - all of which I've tried to delete. There are 32 items which Spybot seems unable to remove.  I've listed them in the log below.  Spybot keeps asking me to reboot, & rescan, but each time I do, I identifies 42 items of which it can only clean 10, leaving the 32 problem ones. Rebooting again does the same.

I've also run CWShredder which says I'm clean, and Adaware which now says I'm clean.  So I guess I only have to worry about those 32 items that SpyBot can't seem to clean.

I am curious if/when I go back into msconfig and re-enable, will I be reactivating a bunch of these pesky programs?
If so, how should I proceed? Compare HijackThis logs before and after I re-enable and delete the differences, or what? Hate to delete something important.  Also, when I re-anable do I need to run all these programs again?

Thanks again for any and all assistance !!!!

Anyway, I'm attaching both my Spybot log and Hijack logs below:

HIJACK THIS LOG WITH STARTUP DISABLED:

Logfile of HijackThis v1.98.2
Scan saved at 2:47:17 AM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\System32\msconfg.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\notepad.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.pkntjfbldtacvogfxtejnicur.biz/WT6Dlbj/KktXNlmjPKgfve3veaPe4G7c8uRqG9F9ZMd3969sU_kGPf8DZhj0eBu5.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [each pile] C:\PROGRA~1\VCCLOC~1\Barb meet.exe
O4 - HKLM\..\RunServices: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll


SPYBOT LOG WITH STARTUP DISABLED: (Note, the "fixed" stuff reappears upon reboot)

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\180solutions

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\DialerConn1

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\PRPI

Download Accelerator Plus ads: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\Software\SpeedBit\Download Accelerator\ADS\SecondMedia

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSFileList

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSAds

Download Accelerator Plus ads: Default ad category (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSDefaultCategory=Default

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-21-515967899-1993962763-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\egroup

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\New Dialup Connection

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\SiteIcons

WebDialer:  Executable (File, fixing failed)
  C:\WINDOWS\5-1-6-26.exe

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\eConnect


--- Spybot - Search && Destroy version: 1.3  ---
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Trojans.sbi
2004-08-11 Includes\Tracks.uti



0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
Comment Utility
Hello Stabo66 =)

Although u have already got a Great assistance from CO.... but there are somethings which i want to add here !!!!!!
*CO plzz dont mind, but i cannot stop myself in case if hijakcthis =|*

So first of all,,,, goto Start>run>msconfig>Startup
and enable the entries for ur Antivirus and Firewall softwares
leave the other ones unchecked if u dont recognise them !!!!

restart and make sure that u have these five tools installed on ur system...
==========================================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
Stinger >> http://vil.nai.com/vil/stinger/
==========================================================================
then Disable ur messenger service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/

then install the above tools and then Turn off ur system restore if its enabled >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

after that Fix teh follwoing lines in Hijackthis scan !!!!

========================================================
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [each pile] C:\PROGRA~1\VCCLOC~1\Barb meet.exe
O4 - HKLM\..\RunServices: [Configuration Loader] chkprocess.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
===============================================================
then....

1. Restart ur machine
2. Boot into safemode and Login as Administrator (How to get into safemode >> http://www.computerhope.com/issues/chsafe.htm
)
3. Run the AntiVirus tool(stinger) and delete all viruses it found
4. Run the Spyware Removal tools(the all above five tools) and delete everything they detect
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. goto C:\Windows\System32 and delete the file msconfg.exe (its not the original msconfig.exe file)
10. Reboot back in Normal Mode and check if problems are gone
11. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.


!! GOOD LUCK !!
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
There is one thing that always bothers me. I have yet to see where turning off System Retore does anything to help unless the problem is expicitly within it. Most of the time it is not. With the amount of Restore Dates that XP likes to keep it really is not all that neccassary to turn it of. And if unless an AV or a Malware scanner finds something in the System Restore then why turn it off. And if it does find some all one needs to so is to delete the RPx file that was identified.

I agree these two don't belong

O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
I dont know if u will agree with me or not,,, but i have seen so many cases where with System restore turned on, most of malware comes back even if they are not reported lying in any of the restore points.... !!!
and when we turn off system restore, 90% of them go away from the system.... :)

I hope u didn't mind my interference in this question =\
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Ummm I disgree. The System Retore is checked by at least I know from Norton and SpyWare. It depends if you set them up to first check zip files or any other compressed file.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi! ALL!

A couple of things:
>Stabo66
I could be mistaken; but, this does not look like a complete HijackThis log -
no 016, 018, 020, etc. entries.

Also, see the following for information concerning winantivirus 2004 and the 010 entries in your log:
(O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll)
http://www.angeltowns.com/members/zupe/lsps.html
Also:
http://forum.aumha.org/viewtopic.php?p=33464
And:
http://www.tek-tips.com/viewthread.cfm?qid=744567

Just some information!

>CrazyOne
Good to see you!
Hope things are going well!

Cheers and good luck!
RF
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
HI RF
0
 

Author Comment

by:Stabo66
Comment Utility
Thank you all for your assistance. Spend a few hours this morning trying to get all your suggestions completed.  
Since I'd already used CrazyOne's suggestions to remove 95% of the problems (over 1000 items in total), I tried SheharyaarSaahil's suggestions next.  Everything seems to work well except that SpySweeper keeps freezing.  

Unfortunately, I'm leaving town shortly so the inlaws will have to make do with the incremental improvements.  I still haven't been able to rid the PC of  "C:\searchpage.html" which is a rather annoying hijack.  I'll distribute points now because I'm not sure if I'll have enough time to check any updates I get from the community until next week sometime.  If I do get more feedback and suggestions I'll either try doing them myself, or talk my father-in-law through the process over the phone.

I'm attaching my latest HijackThis log file below.  In response to Rossfingal's comment above - yes, I've been posting my entire HijackThis log file. I'm not sure why there are no 016, 018, or 020 entries, though I don't know what those are.

SpyBot is also still getting problems that it can't seem to clean. I'll attach that log in a separate comment below.

Once again, a big THANK YOU to everyone that's helped me. Though I haven't gotten all the darn bugs yet, I've managed to get 98% of them.


Logfile of HijackThis v1.98.2
Scan saved at 2:15:08 PM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\Common Files\WinAntiVirus 2004\VapFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fwiqgnwvfpfjqatojf.com/WT6Dlbj/KktXNlmjPKgfve3veaPe4G7c8uRqG9F9ZMftWRoJFl0N1f8DZhj0eBu5.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Configuration Loader] chkprocess.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
============================================

fix these two lines(these were not present before), and this Rundll16.exe is a variant of Backdoor.Sdbot virus, see here >> http://www.liutilities.com/products/wintaskspro/processlibrary/rundll16/

so run soem online virus scans after fixing those two lines, and run stinger and ur Antivirus software in safemode to make sure ur system is Really Clean !!!!!!

CHECK FOR ONLINE VIRUS SCAN:
--------------------------------------
1. http://us.mcafee.com/root/mfs/default.asp?cid=9059
2. http://security.symantec.com/
3. http://housecall.trendmicro.com/
4. http://www.pandasoftware.com/activescan/com/activescan_principal.htm
5. http://www.pcpitstop.com/antivirus/default.asp

post back if u have any more confusion or problem :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
and yes this line also was not included in the first LOG >. O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

this is also a nasty thingy >> http://www.liutilities.com/products/wintaskspro/processlibrary/uptodate/
so Fix it Also and remove this file if its present in ur C:\Windows folder !!!!!
0
 

Author Comment

by:Stabo66
Comment Utility
Here is my SpyBot log:

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\180solutions

n-Case: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\180solutions

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\DialerConn1

AMO (americanmedicalonline): RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\DialerConn1

BrowserAid.LetsSearch: Autorun settings (Registry value, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunWindowsUpdate

BrowserAid.RunDll: Autorun settings (Registry value, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll16

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

CoolWWWSearch: Domain settings (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\PRPI

Dialler: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\PRPI

Download Accelerator Plus ads: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\Software\SpeedBit\Download Accelerator\ADS\SecondMedia

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSFileList

Download Accelerator Plus ads: Ad category (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSAds

Download Accelerator Plus ads: Default ad category (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSDefaultCategory=Default

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-21-515967899-1993962763-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\egroup

eGroup: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\egroup

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\New Dialup Connection

Seksdialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\New Dialup Connection

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\Software\SiteIcons

Unknown: User settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\SiteIcons

WebDialer:  Executable (File, fixing failed)
  C:\WINDOWS\5-1-6-26.exe

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-20\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\S-1-5-19\RemoteAccess\Profile\eConnect

WebDialer: RAS profile (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\RemoteAccess\Profile\eConnect


--- Spybot - Search && Destroy version: 1.3  ---
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Trojans.sbi
2004-08-11 Includes\Tracks.uti
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Stabo66,,,,, the failing if fixing these registries might be due to permissions !!!!

to check this goto Start>Run>regedit
and goto the locations which Spybot is failing to remove,,,, like e.g >> HKEY_USERS\S-1-5-18\Software\180solutions
right click the 180Solutions folder and click Permissions,,,, and make sure NOTHING shud be Denied here, if it is then untick it and take the full control of this folder !!!!

now u can either manually delete this folder, or can run spybot to delete them..... and do the same for other folders also :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now