Solve : Got registry bugs........?

1.	Solve : Got registry bugs........?
Answer» Please uninstall Antivirus 2010. It is malware. * Open OTL * Copy and Paste the following text in the codebox into the Custom Scans/Fixes window. Code: [Select]:OTL O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - File not found O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - File not found O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - File not found O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [ClientGW] File not found O4 - HKLM..\Run: [PCDrProfiler] File not found O15 - HKCU\..Trusted Domains: internet ([]about in Internet) :Files C:\WINDOWS\tasks\At10.job C:\WINDOWS\tasks\At9.job C:\WINDOWS\tasks\At8.job C:\WINDOWS\tasks\At7.job C:\WINDOWS\tasks\At6.job C:\WINDOWS\tasks\At5.job C:\WINDOWS\tasks\At23.job C:\WINDOWS\tasks\At22.job C:\WINDOWS\tasks\At21.job C:\WINDOWS\tasks\At20.job C:\WINDOWS\tasks\At19.job C:\WINDOWS\tasks\At18.job C:\WINDOWS\tasks\At17.job C:\WINDOWS\tasks\At16.job C:\WINDOWS\tasks\At11.job C:\WINDOWS\tasks\At15.job C:\WINDOWS\tasks\At14.job C:\WINDOWS\tasks\At13.job C:\WINDOWS\tasks\At12.job C:\WINDOWS\tasks\At4.job C:\WINDOWS\tasks\At3.job C:\WINDOWS\tasks\At24.job C:\WINDOWS\tasks\At2.job C:\WINDOWS\tasks\At1.job :COMMANDS [resethosts] [purity] [emptytemp] [start explorer] * Click Run Fix * OTLI2 may ask to reboot the machine. Please do so if asked. * Click OK * A report will open. Copy and Paste that report in your next reply. ************************************************* Download Security CHECK by screen317** from one of the following links and SAVE it to your desktop. Link 1 Link 2 * Unzip SecurityCheck.zip and a folder named Security Check should appear. * Open the Security Check folder and double-click Security Check.bat * Follow the on-screen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt * Post the contents of that document in your next reply. Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so. As I mentioned earlier, 'Anti virus 2010' will not uninstall through control panel. If I could find the file, perhaps I could wipe it with DPwiper, but I don't know how to find it, and a search for 'anti virus 2010' comes up blank. Below are the logs you requested: All processes killed ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ deleted successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ClientGW deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PCDrProfiler deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully. ========== FILES ========== C:\WINDOWS\tasks\At10.job moved successfully. C:\WINDOWS\tasks\At9.job moved successfully. C:\WINDOWS\tasks\At8.job moved successfully. C:\WINDOWS\tasks\At7.job moved successfully. C:\WINDOWS\tasks\At6.job moved successfully. C:\WINDOWS\tasks\At5.job moved successfully. C:\WINDOWS\tasks\At23.job moved successfully. C:\WINDOWS\tasks\At22.job moved successfully. C:\WINDOWS\tasks\At21.job moved successfully. C:\WINDOWS\tasks\At20.job moved successfully. C:\WINDOWS\tasks\At19.job moved successfully. C:\WINDOWS\tasks\At18.job moved successfully. C:\WINDOWS\tasks\At17.job moved successfully. C:\WINDOWS\tasks\At16.job moved successfully. C:\WINDOWS\tasks\At11.job moved successfully. C:\WINDOWS\tasks\At15.job moved successfully. C:\WINDOWS\tasks\At14.job moved successfully. C:\WINDOWS\tasks\At13.job moved successfully. C:\WINDOWS\tasks\At12.job moved successfully. C:\WINDOWS\tasks\At4.job moved successfully. C:\WINDOWS\tasks\At3.job moved successfully. C:\WINDOWS\tasks\At24.job moved successfully. C:\WINDOWS\tasks\At2.job moved successfully. C:\WINDOWS\tasks\At1.job moved successfully. ========== COMMANDS ========== HOSTS file reset successfully [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 2096855 bytes ->Flash cache emptied: 456 bytes User: All Users User: Compaq_Owner ->Temp folder emptied: 57661349 bytes ->Temporary Internet Files folder emptied: 15735455 bytes ->Java cache emptied: 2379 bytes ->FireFox cache emptied: 94265900 bytes ->Flash cache emptied: 7167 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32768 bytes User: LocalService ->Temp folder emptied: 1056392 bytes ->Temporary Internet Files folder emptied: 33264 bytes ->FireFox cache emptied: 3717997 bytes User: misc pics User: NetworkService ->Temp folder emptied: 1982008 bytes ->Temporary Internet Files folder emptied: 1008811 bytes ->Flash cache emptied: 3557 bytes User: New Folder User: savanah pics %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 2952721 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 27838375 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 885602 bytes RecycleBin emptied: 26624 bytes Total Files Cleaned = 200.00 mb OTL by OldTimer - Version 3.2.22.3 log created on 04232011_073419 Files\Folders moved on Reboot... Registry entries deleted on Reboot... -------------------------------- Results of screen317's Security Check version 0.99.10 Windows XP Service Pack 3 (UAC is disabled!) Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! Avira AntiVir Personal - Free Antivirus WWII: Normandy Antivirus 2010 PC Tools Firewall Plus 6.0 ZoneAlarm Spy Blocker Toolbar ZoneAlarm Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware CCleaner Java(TM) 6 Update 17 Out of date Java installed! Adobe Flash Player 10.1.102.64 Adobe Reader 7.0 Out of date Adobe Reader installed! Mozilla Thunderbird (3.1.9) ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe PC Tools Firewall Plus FirewallGUI.exe PC Tools Firewall Plus FWService.exe ``````````End of Log```````````` Update Your Java (JRE) Old versions of Java have vulnerabilities that malware can use to infect your system. First Verify your Java Version If there are any other version(s) installed then update now. Get the new version (if needed) If your version is out of date install the newest version of the Sun Java Runtime Environment. Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update. Be sure to close ALL open web browsers before starting the installation. Remove any old versions 1. Download JavaRa and unzip the file to your Desktop. 2. Open JavaRA.exe and choose Remove Older Versions 3. Once complete exit JavaRA. 4. Run CCleaner. Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer. *********************************************** Please download the newest version of Adobe Acrobat Reader from Adobe.com Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable. Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7). Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them. Once old versions are gone, please install the newest version. *************************************************** Quote As I mentioned earlier, 'Anti virus 2010' will not uninstall through control panel. If I could find the file, perhaps I could wipe it with DPwiper, but I don't know how to find it, and a search for 'anti virus 2010' comes up blank. Sorry. Let's try to get rid of it this way. Please run another Security Check after you've done this. * Open OTL * Copy and Paste the following text in the codebox into the Custom Scans/Fixes window. Code: [Select]:OTL :folders Antivirus 2010 :Processes -- this is the command for killing processes. :COMMANDS [resethosts] [purity] [emptytemp] [start explorer] * Click Run Fix * OTLI2 may ask to reboot the machine. Please do so if asked. * Click OK * A report will open. Copy and Paste that report in your next reply. All processes killed ========== OTL ========== Error: Unable to interpret <:folders> in the current context! Error: Unable to interpret in the current context! Error: Unable to interpret <:Processes -- this is the command for killing processes.> in the current context! ========== COMMANDS ========== C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: All Users User: Compaq_Owner ->Temp folder emptied: 2526 bytes ->Temporary Internet Files folder emptied: 1440836 bytes ->Java cache emptied: 2027 bytes ->FireFox cache emptied: 45779653 bytes ->Flash cache emptied: 456 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 56466 bytes User: LocalService ->Temp folder emptied: 66016 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->FireFox cache emptied: 0 bytes User: misc pics User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 0 bytes User: New Folder User: savanah pics %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 452 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 45.00 mb OTL by OldTimer - Version 3.2.22.3 log created on 04232011_172541 Files\Folders moved on Reboot... Registry entries deleted on Reboot... Please run Security Check again to see if it has been removed. Results of screen317's Security Check version 0.99.10 Windows XP Service Pack 3 (UAC is disabled!) Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! Avira AntiVir Personal - Free Antivirus WWII: Normandy Antivirus 2010 PC Tools Firewall Plus 6.0 McAfee Security Scan Plus ZoneAlarm Spy Blocker Toolbar ZoneAlarm Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware CCleaner Java(TM) 6 Update 25 Out of date Java installed! Adobe Flash Player 10.1.102.64 Adobe Reader X (10.0.1) Mozilla Thunderbird (3.1.9) ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe PC Tools Firewall Plus FWService.exe PC Tools Firewall Plus FirewallGUI.exe ``````````End of Log```````````` Please update and run MBAM in Normal mode and post the log.Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6435 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/24/2011 4:59:43 PM mbam-log-2011-04-24 (16-59-43).txt Scan type: Full scan (C:\\|) Objects scanned: 221571 Time ELAPSED: 1 hour(s), 6 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) SysProt Antirootkit Download SysProt Antirootkit from the link below (you will find it at the bottom of the PAGE under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop. Double click Sysprot.exe to start the program. Click on the Log tab. In the Write to log box select the following items. Process << Selected Kernel Modules << Selected SSDT << Selected Kernel Hooks << Selected IRP Hooks << NOT Selected Ports << NOT Selected Hidden Files << Selected At the bottom of the page Hidden Objects Only << Selected Click on the Create Log button on the bottom right. After a few SECONDS a new window should appear. Select Scan Root Drive. Click on the Start button. When it is complete a new window will appear to indicate that the scan is finished. The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here. SysProt AntiRootkit v1.0.1.0 by swatkat *********************************** *********************************** No Hidden Processes found *********************************************** *********************************************** Kernel Modules: Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys Service Name: --- Module Base: B4B05000 Module End: B4B1D000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS Service Name: --- Module Base: BA5F4000 Module End: BA5F6000 Hidden: Yes **************************************************** **************************************************** SSDT: Function Name: ZwCreateFile Address: B278ED80 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwCreateKey Address: B27B3070 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwCreateThread Address: BA7D1AEC Driver Base: 0 Driver End: 0 Driver Name: _unknown_ Function Name: ZwDeleteFile Address: B278FC60 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwDeleteKey Address: B27B4780 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwDeleteValueKey Address: B27B4160 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwLoadKey Address: B27B5080 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwLoadKey2 Address: B27B52B0 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwOpenFile Address: B278F750 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwOpenProcess Address: BA7D1AD8 Driver Base: 0 Driver End: 0 Driver Name: _unknown_ Function Name: ZwOpenThread Address: BA7D1ADD Driver Base: 0 Driver End: 0 Driver Name: _unknown_ Function Name: ZwRenameKey Address: B27B6430 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwReplaceKey Address: B27B5A40 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwRestoreKey Address: B27B60D0 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwSetInformationFile Address: B2790080 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwSetSecurityObject Address: B27B68E0 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwSetValueKey Address: B27B3970 Driver Base: B2761000 Driver End: B27F1000 Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys Function Name: ZwTerminateProcess Address: BA7D1AE7 Driver Base: 0 Driver End: 0 Driver Name: _unknown_ **************************************************** **************************************************** No Kernel Hooks found ********************************************************* ********************************************************** Hidden files/folders: Object: C:\System Volume Information\MountPointManagerRemoteDatabase Status: Access denied Object: C:\System Volume Information\tracking.log Status: Access denied Object: C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6} Status: Access denied I'd like to scan your machine with ESET OnlineScan •Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan •Click the button. •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. •Check •Click the button. •Accept any security warnings from your browser. •Check •Push the Start** button. •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Answer»

Please uninstall Antivirus 2010. It is malware.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]:OTL
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - File not found
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ClientGW] File not found
O4 - HKLM..\Run: [PCDrProfiler] File not found
O15 - HKCU\..Trusted Domains: internet ([]about in Internet)

:Files
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At1.job
:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***************************************************
Download Security CHECK by screen317 from one of the following links and SAVE it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
As I mentioned earlier, 'Anti virus 2010' will not uninstall through control panel. If I could find the file, perhaps I could wipe it with DPwiper, but I don't know how to find it, and a search for 'anti virus 2010' comes up blank.

Below are the logs you requested:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ClientGW deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PCDrProfiler deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
========== FILES ==========
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2096855 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Compaq_Owner
->Temp folder emptied: 57661349 bytes
->Temporary Internet Files folder emptied: 15735455 bytes
->Java cache emptied: 2379 bytes
->FireFox cache emptied: 94265900 bytes
->Flash cache emptied: 7167 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 1056392 bytes
->Temporary Internet Files folder emptied: 33264 bytes
->FireFox cache emptied: 3717997 bytes

User: misc pics

User: NetworkService
->Temp folder emptied: 1982008 bytes
->Temporary Internet Files folder emptied: 1008811 bytes
->Flash cache emptied: 3557 bytes

User: New Folder

User: savanah pics

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2952721 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 27838375 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 885602 bytes
RecycleBin emptied: 26624 bytes

Total Files Cleaned = 200.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04232011_073419

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

--------------------------------

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
WWII: Normandy
Antivirus 2010
PC Tools Firewall Plus 6.0
ZoneAlarm Spy Blocker Toolbar
ZoneAlarm
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 17
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 7.0
Out of date Adobe Reader installed!
Mozilla Thunderbird (3.1.9)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
PC Tools Firewall Plus FirewallGUI.exe
PC Tools Firewall Plus FWService.exe
``````````End of Log````````````

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*************************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
*****************************************************
Quote

As I mentioned earlier, 'Anti virus 2010' will not uninstall through control panel. If I could find the file, perhaps I could wipe it with DPwiper, but I don't know how to find it, and a search for 'anti virus 2010' comes up blank.

Sorry. Let's try to get rid of it this way. Please run another Security Check after you've done this.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]:OTL

:folders
Antivirus 2010

:Processes -- this is the command for killing processes.
:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
All processes killed
========== OTL ==========
Error: Unable to interpret <:folders> in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret <:Processes -- this is the command for killing processes.> in the current context!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Compaq_Owner
->Temp folder emptied: 2526 bytes
->Temporary Internet Files folder emptied: 1440836 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 45779653 bytes
->Flash cache emptied: 456 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56466 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes

User: misc pics

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: New Folder

User: savanah pics

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 452 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 45.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04232011_172541

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Please run Security Check again to see if it has been removed. Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
WWII: Normandy
Antivirus 2010
PC Tools Firewall Plus 6.0
McAfee Security Scan Plus
ZoneAlarm Spy Blocker Toolbar
ZoneAlarm
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 25
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader X (10.0.1)
Mozilla Thunderbird (3.1.9)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
PC Tools Firewall Plus FWService.exe
PC Tools Firewall Plus FirewallGUI.exe
``````````End of Log````````````
Please update and run MBAM in Normal mode and post the log.Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6435

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2011 4:59:43 PM
mbam-log-2011-04-24 (16-59-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 221571
Time ELAPSED: 1 hour(s), 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the PAGE under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few SECONDS a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

SysProt AntiRootkit v1.0.1.0
by swatkat

*************************************
***************************************

No Hidden Processes found

***************************************************
***************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B4B05000
Module End: B4B1D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5F4000
Module End: BA5F6000
Hidden: Yes

********************************************************
********************************************************
SSDT:
Function Name: ZwCreateFile
Address: B278ED80
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwCreateKey
Address: B27B3070
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwCreateThread
Address: BA7D1AEC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteFile
Address: B278FC60
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwDeleteKey
Address: B27B4780
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: B27B4160
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwLoadKey
Address: B27B5080
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwLoadKey2
Address: B27B52B0
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwOpenFile
Address: B278F750
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwOpenProcess
Address: BA7D1AD8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: BA7D1ADD
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRenameKey
Address: B27B6430
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwReplaceKey
Address: B27B5A40
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwRestoreKey
Address: B27B60D0
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwSetInformationFile
Address: B2790080
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwSetSecurityObject
Address: B27B68E0
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwSetValueKey
Address: B27B3970
Driver Base: B2761000
Driver End: B27F1000
Driver Name: \??\C:\WINDOWS\system32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: BA7D1AE7
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

********************************************************
********************************************************
No Kernel Hooks found

*************************************************************
**************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}
Status: Access denied

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Solve : Got registry bugs........?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment