Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Registry Helper


  • Please log in to reply
11 replies to this topic

#1 Pat(rick)

Pat(rick)

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:09:29 PM

Posted 23 August 2011 - 07:39 PM

My parents was using the computer and when it's my turn to use, I notice some programs are installed. I scanned the program files folder with MBAM and it founds some infections

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7501

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2011 7:21:43 PM
mbam-log-2011-08-23 (19-21-43).txt

Scan type: Quick scan
Objects scanned: 561
Time elapsed: 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\registry helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\registry helper\print_16.gif (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\advisorletters.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\background.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\delete_invalid_entries_grey.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\errorfound.wav (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\header.gif (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\help.chm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\iehandler.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter1.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter2.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter3.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter4.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter5.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\logo.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registry helper screen saver setup.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registry helper.url (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelper.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperbundle.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelpersetupcb.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelpersetuptr.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperuninstaller.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\Starter.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\uninst.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\vbrun60sp5.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

I scan again

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7548

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2011 8:32:20 PM
mbam-log-2011-08-23 (20-32-20).txt

Scan type: Quick scan
Objects scanned: 196343
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Now, I wonder if there are any traces of infections left. Am I still infected?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:29 PM

Posted 23 August 2011 - 10:03 PM

Are there any visible issues?

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:09:29 PM

Posted 24 August 2011 - 04:04 PM

Are there any visible issues?

I noticed my computer takes time to turn on from standby mode.

I scan with SAS and there are another infected files that MBAM didn't detect.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2011 at 04:56 PM

Application Version : 5.0.1118

Core Rules Database Version : 7598
Trace Rules Database Version: 5410

Scan type : Complete Scan
Total Scan Time : 01:21:38

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 224
Memory threats detected : 0
Registry items scanned : 35763
Registry threats detected : 0
File items scanned : 33097
File threats detected : 38

Adware.Tracking Cookie
C:\Documents and Settings\Patrick\Cookies\5JIHMUMQ.txt
C:\Documents and Settings\Patrick\Cookies\VFIU1RG8.txt
C:\Documents and Settings\Patrick\Cookies\EH9Q0R8R.txt
C:\Documents and Settings\Patrick\Cookies\OYAVIWGS.txt
C:\Documents and Settings\Patrick\Cookies\2UF0AAWO.txt
C:\Documents and Settings\Patrick\Cookies\TGSUOAWD.txt
C:\Documents and Settings\Patrick\Cookies\SGW13MYX.txt
C:\Documents and Settings\Patrick\Cookies\T7ARVU3L.txt
C:\Documents and Settings\Patrick\Cookies\41UAFC4P.txt
C:\Documents and Settings\Patrick\Cookies\E0FPEDFI.txt
C:\Documents and Settings\Patrick\Cookies\7B8FFWJ0.txt
C:\Documents and Settings\Patrick\Cookies\Y3ZV42AJ.txt
C:\Documents and Settings\Patrick\Cookies\O0A1PY6J.txt
C:\Documents and Settings\Patrick\Cookies\9NSLLQ7S.txt
C:\Documents and Settings\Patrick\Cookies\NRVNE0W7.txt
C:\Documents and Settings\Patrick\Cookies\2D5QJ6ZS.txt
C:\Documents and Settings\Patrick\Cookies\49V7W432.txt
C:\Documents and Settings\Patrick\Cookies\KVCZA41L.txt
C:\Documents and Settings\Patrick\Cookies\3UWKQ0FG.txt
C:\Documents and Settings\Patrick\Cookies\NNUYBEZF.txt
C:\Documents and Settings\Patrick\Cookies\VDVMURNS.txt
C:\Documents and Settings\Patrick\Cookies\2QU4Q6H5.txt
C:\Documents and Settings\Patrick\Cookies\S8IJHGQJ.txt
C:\Documents and Settings\Patrick\Cookies\SD5I9QQV.txt
C:\Documents and Settings\Patrick\Cookies\74TPNOJP.txt
vitamine.networldmedia.net [ C:\DOCUMENTS AND SETTINGS\GUEST\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\8VNVRSH7 ]

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093472.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093473.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093474.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093476.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093477.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093478.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093479.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093480.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093481.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A518C7EE-A754-404A-ADB2-4D610FC4F4EB}\RP148\A0093482.EXE

Adware.Vundo/Variant-MSFake
C:\WINDOWS\SYSTEM32\MSIZAP.EXE
C:\WINDOWS\SYSTEM32\MSICUU.EXE

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:29 PM

Posted 24 August 2011 - 08:48 PM

I noticed my computer takes time to turn on from standby mode.

I don't think this is malware related.
Desktop, or laptop?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:09:29 PM

Posted 25 August 2011 - 05:49 PM

Desktop, or laptop?

Desktop.

ESET scan finished. No threats found.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:29 PM

Posted 25 August 2011 - 08:42 PM

If it's desktop I suggest you disable all power saving features.
You don't really need them and they're known for causing issues.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:09:29 PM

Posted 26 August 2011 - 03:57 PM

Hello, this is the log:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.34
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
AVAST Software Avast setup avast.setup
``````````End of Log````````````



Btw, are Adware.Vundo/Variant-MSFake and Trojan.Agent/Gen-Nullo[Short] dangerous?
Where do I go to disable all power saving features?

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:29 PM

Posted 26 August 2011 - 04:57 PM

are Adware.Vundo/Variant-MSFake and Trojan.Agent/Gen-Nullo[Short] dangerous?

Any infection is dangerous. If not taken care of, more may follow.

Where do I go to disable all power saving features?

http://www.hddoctor.net/how-to-disable-power-management-settings-in-windows-xpvista7/

=====================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

==============================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:09:29 PM

Posted 26 August 2011 - 05:54 PM

Thank you very much for the supports :)

edit:
Does running TFC weekly can harm my computer?

Do I uninstall the Adobe Acrobat 5.0 (are they the same?) too?

Edited by Pat(rick), 26 August 2011 - 06:04 PM.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:29 PM

Posted 26 August 2011 - 06:06 PM

You're very welcome :)

Does running TFC weekly can harm my computer?

No. You should run it weekly.

Do I uninstall the Adobe Acrobat 5.0 (are they the same?) too?

That's very old version. Uninstall it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:09:29 PM

Posted 26 August 2011 - 06:12 PM

Thank you very much again :)

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:29 PM

Posted 26 August 2011 - 06:13 PM

Cool beans :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users