AndyManchesta
-
Posts
1,796 -
Joined
-
Last visited
Posts posted by AndyManchesta
-
-
Hi JackieM
Sorry for the delay I just noticed the reply,
Now Im out of idea's and the script didnt work at all
the keys it cannot find were also not in the export and it seems unable to remove the other keys even after allowing full control to Admin and System, Lets try it a different way
Download Reglite from Here
Install and run Registrar lite
on the Address bar at the top copy and paste
HKEY_CLASSES_ROOT\idcfile
then press GO on the right of the address bar, this will locate the folder and highlight it on the menu to the left in blue.
Right click the idcfile folder on the menu to the left and choose Properties, then click Take Ownership and press OK twice to exit the properties pane, then attempt to remove the folder by right clicking it and choosing Delete
Repeat the steps for these
HKEY_CLASSES_ROOT\ComPlusMetaData.MsCorHost
HKEY_CLASSES_ROOT\ComPlusMetaData.MsCorHost.2
HKEY_CLASSES_ROOT\MailFileAtt
HKEY_CLASSES_ROOT\mapifvbx.object
HKEY_CLASSES_ROOT\mapifvbx.object.1
HKEY_CLASSES_ROOT\SymWriter.pdb
Let us know if you can remove them after taking ownership.
Andy
-
Hi CutePuffy,
I dont know the solution to this as Ive not noticed it before but with your HJT log showing that you have been running cracked software that is infected it could be an indication that some main Windows Files have been changed or are missing.
Start with the System File Checker
Goto Start Menu -> Run -> type
SFC /SCANNOW
(There's a space after SFC) , Press OK and it will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested then reboot the computer after it has finished.
If it doesnt help then you may want to consider upgrading your system to ServicePack2 now your scan logs look clean and it will hopefully repair the problem as part of the upgrade.
http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Andy
-
Hi Tony, Welcome to the forum
Its great to see you as a member as it will help this forum and make it a better place.
I agree that VirusTotal is a great site and one I often use as a first step when checking files, If the file is confirmed as malware or is suspicious then the next stop is the Norman Sandbox Information center so I can get an idea of what it does when it runs on the system.
-
Hi JacquiM
The export missed a couple of keys but we can export that information abit later if needed, Can you do the same with this attached file, Save it to your desktop, extract and double click RunThis.cmd to start the script. It will reset the permissions to allow full control to Admin, System and Users on those keys then attempt to remove them. It will then check if the keys still remain and write the info into a notepad file which will open when its finished (And save into the RemoveKeys folder) . Please copy and paste the contents of the text file back.
Cheers
Andy
-
Hi JacquiM
Can you download the attached file and save it to your desktop, right click the folder then choose Extract All, open the folder and double click CheckKeys.bat, It will export the information from your registry and open the results in Notepad, Please post the contents of the Notepad file that opens back on here,
When you say you tried to delete them manually, what happened ? Does it display any error messages
Cheers
Andy
-
Hi wjim, Welcome to the forum
You can enable that feature if you want by opening Ccleaner > Options > Settings
On the Secure Deletion area you can set it to overwrite and set the number of passes you want to use (1, 3 or 7)
-
Well I hope you dont receive what I just typed into your pop up box, I was checking the source code for the tracker but then realized its only on the Video Works page
-
I dont know Aaron as Ive never used it myself, Try posting the question on their forum as they will be in a better position to answer them, regarding the name I dont think you will get anything useful from that, If I visited a site and something popped up asking for my name, the reply Id type in would probably include afew swear words
-
Hi Aaron
No I dont think that would be possible, with Statcounter being classed as an invisible web tracker I dont think there is any way to combine it into other scripts that are on your page. All you can do is copy and paste the code they provide you with onto your pages and I would assume any changes or additional features would be made from a control panel that you log into at their site. Ive never used it so I cannot be sure but just visited the site and noticed they have a forum so you maybe best asking the question on there.
This topic is interesting and does show that some Antispy/protection programs will block the tracker and maybe even the page using it.
http://forum.statcounter.com/vb/showthread.php?t=15495
Everyone debating that statcounter is falsely accused of being Spyware, what else could they call something that secretly records people's information and is hidden on a webpage
-
This link might help you win or lose your argument depending on what you said
-
You could use Statcounter which will record the IP, Location, browser/screen resolution, How long they stayed on your pages and what site or search engine they came from & which pages are most popular etc....
It sounds ideal but then anyone who visits your page will have a cookie installed from statcounter and some protection programs may even block the counter and inform the user the page isnt safe because of it's use. I would imagine any counter that records that sort of information would be treated in the same way, I personally think its abit intrusive but it maybe the sort of thing your looking for.
You could use Javascripts to record how many hits the page gets and they are fine but I think to record IP addresses and what pages they come from it would need Tracking Cookies to be used.
-
No Problem Bujar, Glad I could help
Happy Surfing
-
Hi jgg, Welcome To The Forum
I would imagine Ccleaner is connecting to the Internet to check if there is any updates available which can be enabled or disabled by opening the Ccleaner > Options > Settings menu.
The IP appears to be for TelstraClear so maybe that is your ISP , try unchecking the automatically check for updates option and see if that helps.
Andy
-
Hi Bujar
Thats looking fine
Run Ccleaner to remove the cookies, Its detected SmitfraudFix as a Potentially unwanted tool but that is just because its using a utility called Process.exe which is very common in fixtools as it allows them to stop system processes before cleaning the malware but as the tool isnt required now it can be removed from your PC.
Delete these folders :
C:\Documents and Settings\Sami\desctops\SmitfraudFix
C:\Documents and Settings\Sami\My Documents\SmitfraudFix
C:\Documents and Settings\Sami\My Documents\SmitfraudFix.zip
C:\unzipped\SmitfraudFix
Pandascan is also showing there is a component of WinAntiVirus 2006 on your system, WinSoftware which make WinAntiVirus is a rogue company who may have close links to infections like Trojan Vundo so I wouldnt trust their products to provide adequate protection. Its on Spyware Warrior's Rogue list here:
http://spywarewarrior.com/rogue_anti-spyware.htm
If it is on your system Id suggest it being removed using the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs)
Then delete this file:
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
I have included afew recommended steps below to help prevent future malware infections.
Please navigate to http://windowsupdate.microsoft.com and upgrade your system to Service Pack 2. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Your current version is outdated. I cannot stress enough how important this is.
Keep Ewido on the system as shows its a 14 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
A tutorial on using Ad-Aware to remove spyware from your computer may be found Here
A tutorial on using Spybot to remove spyware from your computer may be found Here Please also enable Spybots Immunize feature.
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups or messenger programs.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust as alot of free software can bundle other software, including spyware.
Please make sure to run your Antivirus software regularly, and to keep it up-to-date.
More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here
By following these steps it will lower the chances of getting any more malware issues but let us know if you have any questions or problems anytime.
All The Best
Andy
-
Hi Bujar
Most of the log appears to be missing compared to your first log:
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabThere is no malware showing in the new log but it doesnt look complete, run Panda Activescan to make sure there is no remaining problems.
Run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post back the Pandascan log and a New Hijack This log
Thanks
Andy
-
Thats excellent
I wonder when it screws your system if it displays Game Over on the screen
My Brother Installed some BT Internet Package earlier this week that used to have CA but now uses Norton and it kept displaying the system was infected with ETD Scanner for harmless files like DVD software and installers, I checked his system today and Norton has added ETD Scanner to his exclusion list, I assume it has been done through a Live update which shows they know about the problem but thought its a better idea to hide it than fix it.
-
Hi DjLizard
I appreciate you stepping in when you did to prevent problems
I can only assume this key isnt available on XP Home as I do not have it on any of my PC's . Ive just done a quick test and can show what happens when you disable items
Here's the HKLM run key contents and MSConfig :
If I disable them all from startup and reboot then the HKLM is removed from the location in MSConfig and all the Values are removed from the HKLM Run key as shown here:
It doesnt create any additional keys (RUN-) and if they are re-enabled it returns to the first screenshot.
Thanks for letting me know this key is created on some systems though incase the topic comes up again.
Cheers
Andy
-
Hi Fox
It is known that at one stage 1ClickSpyClean was using a stolen database from Spybot Search & Destroy.
Info Here:
http://boards.cexx.org/viewtopic.php?t=8528
-
Hi Bujar,
Welcome Back, You have more junk now than you did in the first log so let's start this fix again
, Please do not change the order of these fixes or take any shortcuts... If I ask you to remove something that you wish to keep then please let me know, Im going to suggest removing anything that is Adware or bundled with Adware but if you have read and accepted the agreements when installing those programs then I fully respect its your choice what you have running on your system... If you have any questions of problems please let me know. First of all you may want to print out this post or copy and paste it to notepad and save it to your desktop so you have a hard copy of these instructions as alot of the steps below will be performed in Safe mode (Please do not skip the safe mode steps)
You have Hijack This running from your Temporary folder so this needs moving before we start, Hijack This creates backups if anything is fixed so its important that its not left in the Temporary folder as you will lose the backups if you clear the temp files (which we will be doing as part of this fix)
Please goto the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove Hijack This and then download it again from HERE, do not run the program from the download link but save it to your C:\drive first then its in a permanent folder
Download Ccleaner if you do not already have it from Here, Install and then close Ccleaner as we will be using again abit later.
Next Goto the Add/Remove screen and remove these:
Uninstall MySearch, MyWebSearch, MyWay SearchBar / Search Assistant if you did not knowingly install that yourself, If you have read and agreed to the licence agreement and you want it to stay on your system then its ok to ignore. More info on MySearch can be found Here and Here
Next Remove Starware , More info on Starware can be found Here
Also Remove 2Search and IM Names if they are listed on the Add/Remove screen. More info on them can be found Here and Here
Next Please delete the SmitFraudFix folder as the infection is constantly updating and there is a newer version of SmitFraudFix available.
Please then download the latest version of SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Please also download, install, and update the free version of Ewido Anti-Malware:
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes, the status bar at the bottom will display "Update successful"
- Exit Ewido. DO NOT run a scan yet.
Next, reboot your computer into Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
- Click on Scanner
- Click on Complete System Scan and the scan will begin.
- If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
- Close Ewido
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://as.starware.com/dp/search?x=wKX1ILE...jk1x83abx9kn1dQ
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing)
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ht*p://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Optional Fixes
If you choose To Remove MySearch/MyWebSearch please fix these entries using Hijack This if they remain in the log :
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - ht*p://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU
Next Delete these Files
D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe
D:\Buci\Programe\Warwsi\WarezP2P.exe
Then delete these Folders:
C:\Program Files\2search
C:\Program Files\IM Names
C:\Program Files\Screensavers.com
C:\Program Files\Starware
Optional
If you remove MySearch also remove these folders:
C:\Program Files\MySearch
C:\Program Files\MyWebSearch
Run Ccleaner, if you wish to keep your cookies then uncheck the cookies cleaning option on the menu to the left, Press the Run Cleaner button and when its finished removing Temp files close Ccleaner,
Then please restart your PC into Normal Windows mode.
Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.
Regards
Andy
Warning : running option #2 (SmitFraudFix) on a non infected computer will remove your Desktop background.
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
-
Thankyou DjLizard
I assumed with that latest post I was missing something obvious
So the HKEY_USERS RUN- key can be deleted with it having an obsolete program inside and the one already removed was also fine as that refers to an obsolete program but the HKLM RUN- key is fine to leave in place.
@DjLizard - Do you know why I do not have that key on my machines when I have alot of items disabled in Msconfig ?
-
Very Strange
You can delete the RUN- key from HKEY_USERS:
Can you post the contents of the HKLM RUN key before doing anything with that Run- key
Cheers
-
Yeah I agree but Ive never seen a Run- subkey before so I cannot explain how it got there, Windows doesnt create an archive of deleted software in that area of the registry so Its likely the Freedom program either had a bug when it was installed and created the Run- key instead of adding itself to the Run key or the key was manually made by someone who uses the pc but I can only take guesses as Ive never seen that before.
The reason I mentioned it was not a default key was that if Ccleaner has set paths which it checks for obsolete entries then it wouldnt check the Run- key as that key shouldnt exist, MrG (Author) would be a better person to comment on that but I can only assume this is a one off and Id be suprised if anyone else said they had a Run- key on their system.
Its probably worth checking the HKEY_LOCAL_MACHINE branch to make sure that hasnt got a Run- key as well.
-
Hi Again
Sorry for the delay, That key with the - should not exist, the only run keys that should be in the HKCU area of the registry is Run, RunOnce, RunServices & RunServicesOnce.
I assume Ccleaner works on preset paths which the Author has written into the program, as the Run- is not a default key it could be the reason why its not being found as an issue in the scan.
You now have a backup file for the Run- key which you can keep and restore anytime by double clicking the reg file which you exported but its not needed as you have the correct Run key present so the next thing to do is delete the Run- key
Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Right click the Run- subkey and choose Delete.
Let us know if you have any problems.
Regards
Andy
-
Hi Again
That isnt a default registry key and Freedom must of been installed at some stage to add that value to your system, Can you confirm that you have a Key called Run and another key called Run- or do you just have the one key which has the - at the end ? , If you have both can you also export the Run Key and post the contents of that then we can remove the value for freedom if your certain its not on the system.
the keys it cannot find were also not in the export and it seems unable to remove the other keys even after allowing full control to Admin and System, 
Issues
in CCleaner Bug Reporting
Posted
Hi JacquiM
Thats great news, If that step would of failed then I would of been really stuck for options, Thanks for letting us know it went ok besides the hiccups
Let us know if we can help more anytime
All The Best
Andy