Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't delete Trojan.FakeAlert Reg key


  • This topic is locked This topic is locked
3 replies to this topic

#1 marchm

marchm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 17 February 2009 - 01:30 PM

Hi
I've run several malware removal programs but I keep getting them back. I've run SuperAntiSpy and malwarebytes.
After trying to delete the file Malwarebytes says that it will be deleted on reboot which does not work.
Win XP SP2 Prof. AVG 8.0
HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B} is the key that it tries to remove.

Thanks,
marc


DDS (Ver_09-02-01.01) - NTFSx86
Run by Marc Moran at 13:06:31.78 on Tue 02/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2644 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Marc Moran\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nationalreview.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: AntiVirusDisableNotify = 2089932196 (0x7c91d5a4)
uPolicies-explorer: UpdatesDisableNotify = 2089932196 (0x7c91d5a4)
uPolicies-explorer: FirewallDisableNotify = 2089932196 (0x7c91d5a4)
mPolicies-explorer: AntiVirusDisableNotify = 2089932196 (0x7c91d5a4)
mPolicies-explorer: UpdatesDisableNotify = 2089932196 (0x7c91d5a4)
mPolicies-explorer: FirewallDisableNotify = 2089932196 (0x7c91d5a4)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Bayside Sniper - Add Auction Item - c:\documents and settings\marc moran\application data\baysidesniperii\BaysideSniperIE.dll/IE/201
IE: Bayside Sniper - Add Item Group - c:\documents and settings\marc moran\application data\baysidesniperii\BaysideSniperIE.dll/IE/203
IE: Bayside Sniper - Item Feedback Analyzer - c:\documents and settings\marc moran\application data\baysidesniperii\BaysideSniperIE.dll/IE/202
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {C8644EC1-E8D3-4691-B778-6458E3701177} - res://c:\documents and settings\marc moran\application data\baysidesniperii\BaysideSniperIE.dll/IE/201
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187955970546
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} - hxxp://us.bookmarks.yahoo.com/YbConvFav.CAB
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChatENU/TLIEFlash.CAB
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-27 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-27 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-27 298264]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S4 0317421195593758mcinstcleanup;McAfee Application Installer Cleanup (0317421195593758);c:\docume~1\admini~1\locals~1\temp\031742~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\031742~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S4 McSysmon;McSysmon;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]

=============== Created Last 30 ================

2009-02-17 12:49 <DIR> --d----- c:\program files\Trend Micro
2009-02-17 12:25 <DIR> a-dshr-- C:\cmdcons
2009-02-17 12:23 161,792 a------- c:\windows\SWREG.exe
2009-02-17 12:23 98,816 a------- c:\windows\sed.exe
2009-02-17 11:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-17 11:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-17 10:43 7,168 a--sh--- C:\Thumbs.db
2009-02-16 13:35 <DIR> --d----- c:\docume~1\marcmo~1\applic~1\Malwarebytes
2009-02-16 13:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-16 13:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 13:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 13:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 12:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-16 12:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-16 12:20 <DIR> --d----- c:\docume~1\marcmo~1\applic~1\SUPERAntiSpyware.com
2009-02-16 09:10 109 a--sh--- c:\windows\system32\2760996179.dat
2009-01-29 10:28 <DIR> --d----- c:\program files\Ace Utilities

==================== Find3M ====================

2009-02-16 17:12 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-16 17:12 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-28 13:37 61,224 a------- c:\documents and settings\marc moran\GoToAssistDownloadHelper.exe
2006-11-12 13:41 557,056 a------- c:\documents and settings\marc moran\chatlnk.exe

============= FINISH: 13:06:50.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 28 February 2009 - 09:02 AM

Hello.

Let's remove that key and then post back with a new DDS logs. What problems do you still have?

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Download and Run Script with Swreg.exe
  • Please download SWREG.exe, and save it to your C:\Windows Directory please.
In case you are using Firefox and it get's saved directly onto your desktop do the following:
  • Please copy and paste Swreg.exe to your C:\Windows directory.
  • After you have pasted Swreg.exe into your C:\Windows directory you may delete the other copy on you desktop
  • We need to execute a Batch File now
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    swreg ACL HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B} /OA
    swreg ACL HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B} /P /GE:F
    swreg NULL DELETE HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}
    swreg DELETE HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}
    
    Reg Export HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B} C:\export.txt
    Notepad export
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal. Then Notepad will open, post the contents of notepad in your next reply.

note: If notepad was empty just let me know.

Post back with new DDS logs as well and problems you may still have.

With Regards,
Extremeboy

Edited by extremeboy, 28 February 2009 - 09:02 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 03 March 2009 - 04:10 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 05 March 2009 - 04:09 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

Please start a new thread in the Hijackthis-Malware Removal forum and post a new DDS logs if you need help again, due to the fact that I need to leave in a few days and cannot continue to help you if you need it re-opened. If you require assistance again, start a new topic. Do Not PM me please.

This applies only to the original topic starter.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users