PDA

View Full Version : winlog.exe named as trojan but unable to delete



marcellarose
2006-07-17, 02:43
I'm trying to repair the damage my daughter did to her laptop while downloading a p2p program and ignoring all safeguards. I was able to install and run McAfee VirusScan, and was advised the file at WINDOWS/system32/winlog.exe is a "Memory Trojan name: New Malware!bot" that cannot be cleaned, quarantined, nor deleted.

When I try to delete manually, the folder system32 does not appear in Windows (though all other folders appear).

I was able to install SpyBot, but unable to run it ("error retrieving update info file; cannot allocate socket")

I was able to install & run HijackThis, and the log file follows. Your advice is much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:21:58 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\bGF1cmVsYw\command.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\dfndrad_5.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\DOBE~1\regsvr32.exe
C:\WINDOWS\?icrosoft.NET\s?ool32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NorbiesHijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {530FC065-51F4-572E-F4EE-77D58E73BE9E} - C:\WINDOWS\system32\jyrasg.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmad_5.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\DOBE~1\regsvr32.exe" -vt yazr
O4 - HKCU\..\Run: [Ojetax] C:\WINDOWS\?icrosoft.NET\s?ool32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148608385527
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\regedit.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\p4r40e9qeh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bGF1cmVsYw\command.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thank you,
MarcellaRose

Rawe
2006-07-17, 15:00
Welcome aboard :)

Download Combofix (http://download.bleepingcomputer.com/sUBs/combofix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

marcellarose
2006-07-17, 15:45
Rawe, thanks so much for the quick response. I've forwarded your instruction to my daughter, and will get that log posted here as soon as she responds.

MarcellaRose

marcellarose
2006-07-18, 15:26
Here it is, Rawe. All Greek to Me. Hope you can decipher.

Start Time= Tue 07/18/2006 0:25:55.63
Running from: C:\Documents and Settings\laurel\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log
))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{D605E7AC-2CFF-4722-B9CC-03D6A16DF3C3}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\clsid\{D605E7AC-2CFF-4722-B9CC-03D6A16DF3C3}\Implemented
Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{D605E7AC-2CFF-4722-B9CC-03D6A16DF3C3}\Implemented
Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{D605E7AC-2CFF-4722-B9CC-03D6A16DF3C3}\InprocServer32]
@="C:\\WINDOWS\\system32\\wkhext.dll"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrac_6.exe
C:\dfndrad_5.exe
C:\nwnmad_5.exe
C:\kybrdac_6.exe
C:\kybrdad_5.exe
C:\Documents and Settings\laurel\Local Settings\Temporary Internet
Files\Content.IE5\30ESGYQ8\drsmartload[1].exe
C:\WINDOWS\keyboard1.dat
C:\MTE3NDI6ODoxNg.exe
C:\warebundle2.exe
C:\warebundlenewer.exe
C:\Documents and Settings\laurel\Local Settings\Temporary Internet
Files\Content.IE5\9STUIE2G\MTE3NDI6ODoxNg[1].exe
C:\Program Files\network monitor
C:\Program Files\Common Files\misc001
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\bGF1cmVsYw


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report
)))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-18 00:28 <DIR> C:\Program Files\common files
2006-07-17 22:30 <DIR> C:\Program Files\toolbar888
2006-07-17 21:37 <DIR> C:\Program Files\spybot - search & destroy
2006-07-17 21:12 234,272 C:\WINDOWS\system32\wkhext.dll
2006-07-17 21:12 234,272 C:\WINDOWS\system32\whcltui.dll
2006-07-17 21:11 234,272 C:\WINDOWS\system32\wfhbth.dll
2006-07-17 21:11 234,064 C:\WINDOWS\system32\lvrq0995e.dll
2006-07-16 19:00 237,172 C:\WINDOWS\system32\fuultrep.dll
2006-07-16 18:52 236,678 C:\WINDOWS\system32\vkrifier.dll
2006-07-16 18:45 <DIR> C:\Program Files\spybot
2006-07-16 18:23 <DIR> C:\Program Files\norbieshijackthis
2006-07-16 18:08 237,172 C:\WINDOWS\system32\atptif.dll
2006-07-16 17:59 <DIR> C:\Program Files\winamp
2006-07-16 16:59 <DIR> C:\Program Files\winupdates
2006-07-16 10:29 <DIR> C:\Program Files\mcafee.com
2006-07-13 12:04 2 C:\WINDOWS\system32\wnsintsu.exe
2006-07-13 12:03 <DIR> C:\Program Files\outlook
2006-07-13 12:03 <DIR> C:\Program Files\Common
Files\{143959a4-0958-1033-1018-040305130001}
2006-06-28 11:12 139,264 C:\WINDOWS\system32\jyrasg.dll
2006-06-20 16:08 <DIR> C:\Program Files\internet explorer
2006-06-16 12:24 <DIR> C:\Documents and Settings\laurel\Application
Data\adobe
2006-06-10 18:41 <DIR> C:\Program Files\quicktime
2006-06-10 18:41 <DIR> C:\Documents and Settings\laurel\Application
Data\apple computer
2006-06-10 18:40 <DIR> C:\Program Files\itunes
2006-06-10 18:38 <DIR> C:\Program Files\ipod
2006-06-04 10:37 <DIR> C:\Documents and Settings\laurel\Application
Data\microsoft
2006-06-01 19:19 <DIR> C:\Program Files\image-line
2006-05-29 21:20 <DIR> C:\Documents and Settings\laurel\Application
Data\ahead
2006-05-27 20:21 <DIR> C:\Program Files\Common Files\jasc software inc
2006-05-27 20:21 <DIR> C:\Program Files\Common Files\installshield
2006-05-27 20:20 <DIR> C:\Program Files\jasc software inc
2006-05-27 20:20 <DIR> C:\Documents and Settings\laurel\Application
Data\jasc software inc
2006-05-26 19:30 <DIR> C:\Program Files\limewirepro
2006-05-26 19:30 <DIR> C:\Program Files\limewire
2006-05-26 18:10 <DIR> C:\Program Files\java
2006-05-26 18:08 <DIR> C:\Program Files\Common Files\java
2006-05-26 16:10 <DIR> C:\Documents and Settings\laurel\Application
Data\macromedia
2006-05-26 14:34 <DIR> C:\Documents and Settings\laurel\Application
Data\lavasoft
2006-05-26 14:32 <DIR> C:\Program Files\Common Files\stardock
2006-05-26 14:31 720,896 C:\WINDOWS\iun6002ev.exe
2006-05-26 14:27 <DIR> C:\Program Files\ahead
2006-05-26 14:25 <DIR> C:\Program Files\Common Files\ahead
2006-05-26 14:17 <DIR> C:\Program Files\stardock
2006-05-26 14:14 <DIR> C:\Program Files\Common Files\adobe systems shared
2006-05-26 14:14 <DIR> C:\Program Files\Common Files\adobe
2006-05-26 14:11 <DIR> C:\Program Files\installshield installation
information
2006-05-26 14:11 <DIR> C:\Program Files\adobe
2006-05-26 14:04 <DIR> C:\Program Files\windows media player
2006-05-26 14:04 <DIR> C:\Program Files\outlook express
2006-05-26 14:04 <DIR> C:\Program Files\Common Files\system
2006-05-26 14:00 <DIR> C:\Program Files\messenger
2006-05-26 08:14 <DIR> C:\Program Files\lavasoft
2006-05-26 07:49 <DIR> C:\Program Files\winrar
2006-05-26 00:30 <DIR> C:\Program Files\movie maker
2006-05-26 00:24 <DIR> C:\Program Files\windows nt
2006-05-26 00:24 <DIR> C:\Program Files\netmeeting
2006-05-25 21:47 <DIR> C:\Program Files\ati technologies
2006-05-25 21:38 <DIR> C:\Program Files\broadcom
2006-05-23 17:25 402,736 C:\WINDOWS\system32\wgalogon.dll
2006-05-23 00:28 <DIR> C:\Program Files\synaptics
2006-05-23 00:26 <DIR> C:\Program Files\sigmatel
2006-05-23 00:13 <DIR> C:\Program Files\conexant
2006-05-23 00:10 <DIR> C:\Program Files\windowsupdate
2006-05-23 00:00 <DIR> C:\Program Files\uninstall information
2006-05-23 00:00 <DIR> C:\Program Files\Common Files\microsoft shared
2006-05-23 00:00 <DIR> C:\Documents and Settings\laurel\Application
Data\identities
2006-05-22 23:46 <DIR> C:\Program Files\xerox
2006-05-22 23:46 <DIR> C:\Program Files\microsoft frontpage
2006-05-22 23:37 <DIR> C:\Program Files\online services
2006-05-22 23:37 <DIR> C:\Program Files\Common Files\services
2006-05-22 23:36 <DIR> C:\Program Files\Common Files\mssoap
2006-05-22 23:35 <DIR> C:\Program Files\msn gaming zone
2006-05-22 23:35 <DIR> C:\Program Files\msn
2006-05-22 23:35 <DIR> C:\Program Files\complus applications
2006-05-22 19:24 62 C:\Documents and Settings\laurel\Application
Data\desktop.ini
2006-05-22 19:24 <DIR> C:\Program Files\Common Files\speechengines
2006-05-22 19:24 <DIR> C:\Program Files\Common Files\odbc


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days
)))))))))))))))))))))))))))))))))))))))))))


2006-07-17 21:12 234,272 C:\WINDOWS\system32\wkhext.dll
2006-07-17 21:12 234,272 C:\WINDOWS\system32\whcltui.dll
2006-07-17 21:11 234,272 C:\WINDOWS\system32\wfhbth.dll
2006-07-17 21:11 234,064 C:\WINDOWS\system32\lvrq0995e.dll
2006-07-16 19:00 237,172 C:\WINDOWS\system32\fUultrep.dll
2006-07-16 18:52 236,678 C:\WINDOWS\system32\vkrifier.dll
2006-07-16 18:08 237,172 C:\WINDOWS\system32\atptif.dll
2006-07-16 08:55 288,320 C:\WINDOWS\system32\mcgdmgr.dll
2006-07-16 08:53 349,760 C:\WINDOWS\system32\mcinsctl.dll
2006-07-13 12:04 2 C:\WINDOWS\system32\wnsintsu.exe
2006-07-13 12:04 139,264 C:\WINDOWS\system32\jyrasg.dll
2006-06-20 16:09 221,184 C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BCMSMMSG"="BCMSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control
Panel\\atiptaxx.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program
Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"outlook"="C:\\Program Files\\outlook\\outlook.exe /auto"
"winlog"="winlog.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Ncao"="\"C:\\WINDOWS\\DOBE~1\\regsvr32.exe\" -vt yazr"
"Ojetax"="C:\\WINDOWS\\?icrosoft.NET\\s?ool32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AAW"=""
"SpybotSnD"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"winlog"="winlog.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{143959A4-0958-1033-1018-040305130001}"="\"C:\\Program Files\\Common
Files\\{143959A4-0958-1033-1018-040305130001}\\Update.exe\"
mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet
explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer
(LAURELC-laurel).job

Completion time: Tue 07/18/2006 0:28:49.01
ComboFix ver 06.07.16.2 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

Rawe
2006-07-18, 17:18
Sure thing. :)

Next set...

---

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download Ewido Anti-spyware (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here (http://www.ewido.net/en/download/updates/).

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-select "Only if threats were found"

Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

==

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

4. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido.


==

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by double-clicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:

tashi
2006-07-24, 10:15
How is it going marcellarose

marcellarose
2006-07-24, 14:37
Thank you for asking. I'm still waiting for my daughter to complete the last instruction I received. When her laptop was in my possession, I worked tirelessly to get it up and running. Now that she's taken it back to college, she seems content with it just limping along - as long as she can get online she's willing to put up with the poor performance. Time for me to nag. :)

tashi
2006-07-28, 20:48
:laugh:

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.