Win32.agent.at/ Smitfraud-c.toolbar888/ Psapianalyzer, Cannot Remove Persistent Browser Hijacker Options

[RichieUK]

I'm about 99.999999% certain they're really GONE from EVERYWHERE but the SpyBot "System Startup" page!

So am i,but if you're still concerned you might want to register at the following forum and seek help there.
Safer Networking Forums [Spybot Search and Destroy]:
http://forums.spybot.info/

Let me know how you get on if you do decide to try the above.

[Uralten]

I decided to try one more thing, and it actually turned up some references. I did a search with Registry Editor looking for comdb.dll. I found all four of the files (in order) listed in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU, along with entries for other files whose names have become familiar over the last few days (such as cuqnogoh.exe). This same list is repeated in HKEY_USERS\S-1-5-21-839522115-152049171-854245398-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU. Do you think it's possible SpyBot is picking the names up from those entries? Should I delete them by hand and just leave those numbered keys without any data and see if that makes them go away?

[RichieUK]

Should I delete them by hand and just leave those numbered keys without any data and see if that makes them go away?

Yes,try that but backup the registry first by doing the following:

Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.

This post has been edited by RichieUK: Jun 6 2007, 03:05 PM

[Uralten]

Hey, Richie, deleting those last few references in the MRU lists in the registry didn't work, either. I'll take your suggestion and go over to the SpyBot forum and see if they can shed any light on this one last glitch. If they come up with an answer, I'll come back here and let you know what it is, so you can use it to advise the NEXT poor sap who catches Vundo!

Thanks again for your EXCELLENT assistance in solving my my problem. As promised, I made a PayPal donation to BleepingComputer this morning. I really appreciate all your help!

[RichieUK]

You're most welcome and thanks for the site donation

[Uralten]

Hey, Richie, the mystery of those last four entries in SpyBot's System Startup page has been resolved on the Safer Networking forum. There WAS still a reference to those files in my registry, but I didn't find it with my regedit.exe searches because I was searching for the file names (for example, comdb.dll), while the entries were only the names assigned by SpyBot to those files (for example, comdb). With the help I received at the other forum, I was able to find the following registry branch:

[Begin quoted text]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\comdb]
"Asynchronous"=dword:00000001
"DllName"="c:\\winnt\\inf\\comdb.dll"
"Impersonate"=dword:00000000
"Startup"="UserLogOn"
"Logoff"="UserLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\hggebaa]
"Asynchronous"=dword:00000001
"DllName"="hggebaa.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\nnlkj]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINNT\\system32\\nnlkj.dll"
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[End quoted text]

The items SpyBot's System Startup page shows as loading from "system.ini" are actually loading from the Notify branch. Unlike the corresponding entries in SpyBot, which regenerated when deleted, the entries in this branch did NOT regenerate when deleted, and once it was gone, the four offending entries in SpyBot disappeared, as well. As a result, the LAST traces of my Vundo/Psapianalyzer adventure are now eliminated from my computer.

I don't know if you'll be able to use this information to help anybody else, but if you can, you're more than welcome to it. Thanks once again for all your help!!

[RichieUK]

Thanks for the info Uralten,glad you got the issue resolved

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.


This post has been edited by RichieUK: Jun 12 2007, 01:07 PM