Spybot Reg Change

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Am I infected? What do I do?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Spybot Reg Change

Options

geasy View Member Profile	Feb 19 2008, 07:08 PM Post #1
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	hi Each time I open IE I receive a Spybot registry entry notification for ITBarLayout. i have to deny it every time. ialso have a message keep pooping up saying ..... notice , if your computor has been running slower than normal, it may be infected with viruses, adaware or spyware. maleware alarm will perform a quick and compleatly free scan. please click on link...and so on... i would be greatful if somebody would be able to help with many thanks

Orange Blossom View Member Profile	Feb 23 2008, 01:21 AM Post #2
The Bookworm Group: Moderator Posts: 6,391 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150	Hello geasy, What is your operating system: Windows XP, Vista, etc.? What security programs, besides Spybot, do you have on your computer? Also, please verify: Does the pop up say maleware alarm or malware alarm? Exact spelling is crucial for proper identification. At this point, I would suggest running a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode. Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware Be sure to click on the download button to the left, not on the free trial download on the right. Install it and double-click the icon on your desktop to run it. · It will ask if you want to update the program definitions, click Yes. · Under Configuration and Preferences, click the Preferences button. · Click the Scanning Control tab. · Under Scanner Options make sure the following are checked: Close browsers before scanning Scan for tracking cookies Terminate memory threats before quarantining. o Please leave the others unchecked. o Click the Close button to leave the control center screen. Reboot into Safe Mode · On the main screen, under Scan for Harmful Software click Scan your computer. · On the left check C:\Fixed Drive. · On the right, under Complete Scan, choose Perform Complete Scan. · Click Next to start the scan. Please be patient while it scans your computer. · After the scan is complete a summary box will appear. Click OK. · Make sure everything in the white box has a check next to it, then click Next. · It will quarantine what it found and if it asks if you want to reboot, click Yes. Reboot into Normal Mode · To retrieve the removal information for me please do the following: o After reboot, double-click the SUPERAntispyware icon on your desktop. o Click Preferences. Click the Statistics/Logs tab. o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. o It will open in your default text editor (such as Notepad/Wordpad). o Please highlight everything in the notepad, then right-click and choose copy. · Click close and close again to exit the program. Please post the log in your reply. Orange Blossom -------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, AVG Anti-spyware Free, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.5, WinPatrol Plus, Sunbelt Personal Firewall - Full, Comodo BOClean 4.27, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

geasy View Member Profile	Feb 25 2008, 01:57 PM Post #3
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	hi and thanks for replying. im running xp with service pack 2. the spelling is malwarealarm. and im having all kinds of probs with pc at the mo, from running realy slow to hundreds of pop ups and avg keeps finding trojains

geasy View Member Profile	Feb 25 2008, 04:36 PM Post #4
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 02/25/2008 at 02:57 AM Application Version : 3.9.1008 Core Rules Database Version : 3408 Trace Rules Database Version: 1400 Scan type : Complete Scan Total Scan Time : 02:08:00 Memory items scanned : 169 Memory threats detected : 2 Registry items scanned : 4549 Registry threats detected : 15 File items scanned : 60811 File threats detected : 33 Trojan.Unclassifed/AffiliateBundle C:\WINDOWS\SYSTEM32\JKKJKII.DLL C:\WINDOWS\SYSTEM32\JKKJKII.DLL Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkjkii C:\WINDOWS\SYSTEM32\KHFFFED.DLL Adware.Vundo Variant C:\WINDOWS\SYSTEM32\JKHFF.DLL C:\WINDOWS\SYSTEM32\JKHFF.DLL HKLM\Software\Classes\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}\InprocServer32 HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}\InprocServer32#ThreadingModel HKLM\Software\Classes\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC} HKCR\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC} HKCR\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}\InprocServer32 HKCR\CLSID\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF7B6076-F5FE-49CA-BE56-17E3EC3652CC} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} HKCR\CLSID\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E} Adware.Tracking Cookie C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@tribalfusion[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad.yieldmanager[3].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@yadro[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@www.admedia365[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@antispywaresuite[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@clicksor[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@edge.ru4[3].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@bestsellerantivirus[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@3.adbrite[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad.yieldmanager[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad.zanox[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@ad2networks.advertserve[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@adopt.euroclick[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@banner[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@bizadverts[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@clicktorrent[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@edge.ru4[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@overture[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@prospect.adbureau[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@questionmarket[2].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@realmedia[1].txt C:\Documents and Settings\geasy.BADASS-E8537735\Cookies\geasy@tribalfusion[2].txt Trojan.Unknown Origin C:\WINDOWS\system32\nGpxx01 HKLM\Software\xpre HKLM\Software\xpre#execount Adware.Vundo Variant/Rel C:\WINDOWS\SYSTEM32\ADEEG.INI C:\WINDOWS\SYSTEM32\CFHKJ.INI C:\WINDOWS\SYSTEM32\FFHKJ.INI C:\WINDOWS\SYSTEM32\FFHKJ.INI2 Trace.Known Threat Sources C:\Documents and Settings\geasy.BADASS-E8537735\Local Settings\Temporary Internet Files\Content.IE5\IV2HM1U7\CA8XSP0V.htm C:\Documents and Settings\geasy.BADASS-E8537735\Local Settings\Temporary Internet Files\Content.IE5\EHOV8VW3\window[1].js C:\Documents and Settings\geasy.BADASS-E8537735\Local Settings\Temporary Internet Files\Content.IE5\EHOV8VW3\errorhandler[1].htm

Orange Blossom View Member Profile	Feb 25 2008, 07:17 PM Post #5
The Bookworm Group: Moderator Posts: 6,391 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150	Hello geasy, Thanks for posting the log. Your computer has been infected, among other things, with Vundo. Please follow the directions in this guide: http://www.bleepingcomputer.com/forums/topic18610.html If you have any questions as you go through the guide, please ask them as a reply in this thread. When you have finished the guide, please post the Vundo log as a reply. Orange Blossom -------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, AVG Anti-spyware Free, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.5, WinPatrol Plus, Sunbelt Personal Firewall - Full, Comodo BOClean 4.27, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

geasy View Member Profile	Feb 26 2008, 07:54 AM Post #6
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	scaned my pc with vundofix and it found 4 infected files. i fixed them and 3 where fixed right away and the other one was fixed on rebote. i cant find how you get the log . spybot no longer asking to change reg and pc runing a lot faster. is there anything else i need to do. really appreciate your help with this VundoFix V6.7.9 Checking Java version... Scan started at 16:22:15 25/02/2008 Listing files found while scanning.... C:\WINDOWS\system32\ffhkj.ini C:\WINDOWS\system32\ffhkj.ini2 C:\WINDOWS\system32\jkhff.dll C:\WINDOWS\system32\jkkjkii.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\ffhkj.ini C:\WINDOWS\system32\ffhkj.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ffhkj.ini2 C:\WINDOWS\system32\ffhkj.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\jkhff.dll C:\WINDOWS\system32\jkhff.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\jkkjkii.dll C:\WINDOWS\system32\jkkjkii.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\jkkjkii.dll C:\WINDOWS\system32\jkkjkii.dll Has been deleted! Performing Repairs to the registry. Done! This post has been edited by geasy: Feb 26 2008, 01:06 PM

quietman7 View Member Profile	Feb 26 2008, 01:32 PM Post #7
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Lets do one more scan. Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator") When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. On the Scanner tab: Make sure the "Perform Quick Acan" option is selected. Then click on the Scan button. The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

geasy View Member Profile	Feb 26 2008, 03:58 PM Post #8
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	i have done the quick scan . here is the log Malwarebytes' Anti-Malware 1.05 Database version: 410 Scan type: Quick Scan Objects scanned: 29412 Time elapsed: 6 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\system32\acespy (Fake.Dropped.Malware) -> Quarantined and deleted successfully. Files Infected: (No malicious items detected) im now running the indepth scan and will post log as soon as complete Malwarebytes' Anti-Malware 1.05 Database version: 410 Scan type: Quick Scan Objects scanned: 29412 Time elapsed: 6 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\system32\acespy (Fake.Dropped.Malware) -> Quarantined and deleted successfully. Files Infected: (No malicious items detected) this is the log of the full scan This post has been edited by geasy: Feb 26 2008, 04:32 PM

quietman7 View Member Profile	Feb 27 2008, 08:02 AM Post #9
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Ok. Let me know how it goes. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

geasy View Member Profile	Feb 27 2008, 11:18 AM Post #10
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	i have already posted the full scan log under the quick scan log on my other post. im still getting loads of trojan alerts from avg, some of which will not allow me to heal or quarantine. pc is alot faster now and spybot has stopped asking to change reg.

quietman7 View Member Profile	Feb 27 2008, 11:30 AM Post #11
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	QUOTE im still getting loads of trojan alerts from avg What do the alerts say? Are they providing a specific file name and location (full path) for any of these files? -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

geasy View Member Profile	Feb 27 2008, 01:58 PM Post #12
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	they are saying c drive documents and setting geasy local settings temp packet but when i go to open geasy file a box comes up saying access denied. in my documents and settings there are 6 folder. 3 have blue writing and 3 have black writing. the folders with blue writing say All Users.WINDOWS Default User.WINDOWS geasy.BADASS-E8537735 the 3 with black writing say All Users Default User geasy ...... i can open all of them expect the geasy one

quietman7 View Member Profile	Feb 27 2008, 02:57 PM Post #13
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	This issue will require further investigation. Before that can be done you will need you to create and post a hijackthis log. Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator. When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. *Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team. Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies* as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

geasy View Member Profile	Feb 29 2008, 08:29 AM Post #14
Member Group: Members Posts: 35 Joined: 30-August 05 From: uk Member No.: 32,721	just a quick thank you and to let you know someone is going through my hijack this log at the moment. as soon as it has been done ill post the outcome on this thread.

quietman7 View Member Profile	Feb 29 2008, 08:36 AM Post #15
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Your hijackthis log is posted here and I see that you are getting assistance from teacup61 so your in good hands. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean. To avoid confusion, I am closing this topic and will monitor your other thread. Thanks for your cooperation and good luck with your log. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th January 2009 - 07:47 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides