Author Topic: 1.reg Malware - How to get rid of it?  (Read 43795 times)

0 Members and 1 Guest are viewing this topic.

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #15 on: October 08, 2007, 11:50:13 AM »

[Registry - Additional Scans - Non-Microsoft Only]
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Media Band] -> File not found
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 75128 bytes | Modified Date = 9/6/2007 6:59:56 PM | Attr =    ]
{4EB37360-49E8-11D3-95B5-004033382980} [HKLM] -> %ProgramFiles%\ESTsoft\ALZip\AZCTM.dll [ALZip 4.0 Context Menu Shell Extension] -> ESTsoft [Ver = 6.11.27.111 | Size = 168960 bytes | Modified Date = 12/5/2006 10:02:06 PM | Attr =    ]
{5E2121EE-0300-11D4-8D3B-444553540000} [HKLM] -> %ProgramFiles%\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll [Catalyst Context Menu extension] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 8/23/2001 9:00:00 PM | Attr =    ]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} [HKLM] -> %ProgramFiles%\WinRAR\RarExt.dll [WinRAR shell extension] ->  [Ver =  | Size = 129024 bytes | Modified Date = 9/20/2007 6:34:58 PM | Attr =    ]
{BD88A479-9623-4897-8546-BC62B9628F44} [HKLM] -> %ProgramFiles%\Spyware Terminator\sptcontmenu.dll [SPTHandler] -> Crawler.com [Ver = 1.1.0.14 | Size = 141312 bytes | Modified Date = 10/6/2007 8:00:28 PM | Attr =    ]
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll [Adobe.Acrobat.ContextMenu] -> Adobe Systems Inc. [Ver = 8.0.5.2006102200\0 | Size = 677504 bytes | Modified Date = 10/22/2006 11:44:38 PM | Attr =    ]
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} [HKLM] -> %ProgramFiles%\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne Player] -> RealNetworks, Inc. [Ver = 1.0.1.2684 | Size = 54848 bytes | Modified Date = 5/24/2007 12:08:50 PM | Attr =    ]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.chm [@ = chm.file] -> PersistentHandler = Reg Data - Key not found ->
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.hlp [@ = hlpfile] -> PersistentHandler = Reg Data - Key not found ->
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found ->
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found ->
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found ->
.txt [@ = TXT_File] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found ->
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found ->
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found ->

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #16 on: October 08, 2007, 11:50:42 AM »


[Files/Folders - Created Within 30 days]
cvavr -> %SystemDrive%\cvavr ->  [Folder | Created Date = 9/22/2007 12:21:16 AM | Attr =    ]
cvavr.ini -> %SystemRoot%\cvavr.ini ->  [Ver =  | Size = 2846 bytes | Created Date = 9/22/2007 12:21:22 AM | Attr =    ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI ->  [Ver =  | Size = 0 bytes | Created Date = 10/6/2007 7:05:19 PM | Attr =    ]
Dajuba.zip -> %System32%\Dajuba.zip ->  [Ver =  | Size = 0 bytes | Created Date = 9/12/2007 4:35:04 PM | Attr =    ]
DrvMon.exe -> %System32%\DrvMon.exe -> Alcor Micro, Corp. [Ver = 1, 0, 0, 7 | Size = 53248 bytes | Created Date = 9/27/2007 2:07:16 PM | Attr =    ]
ftbusui.dll -> %System32%\ftbusui.dll -> FTDI Ltd. [Ver = 1.1.0.1 | Size = 111936 bytes | Created Date = 9/22/2007 12:51:28 AM | Attr =    ]
ftd2xx.dll -> %System32%\ftd2xx.dll -> FTDI Ltd [Ver = 3.01.12 | Size = 202048 bytes | Created Date = 9/22/2007 12:51:28 AM | Attr =    ]
FTLang.dll -> %System32%\FTLang.dll -> FTDI [Ver = 1, 0, 0, 1 | Size = 107840 bytes | Created Date = 9/22/2007 12:51:28 AM | Attr =    ]
ftserui2.dll -> %System32%\ftserui2.dll -> FTDI Ltd. [Ver = 2.00.01.1  built by: WinDDK | Size = 47432 bytes | Created Date = 9/22/2007 12:51:29 AM | Attr =    ]
KeyLbE32.dll -> %System32%\KeyLbE32.dll -> Concept Software, Inc. [Ver = 4.3.0.2 | Size = 141824 bytes | Created Date = 9/25/2007 6:00:02 PM | Attr =    ]
Machnm1.exe -> %System32%\Machnm1.exe ->  [Ver =  | Size = 15840 bytes | Created Date = 9/25/2007 6:00:02 PM | Attr =    ]
Machnm32.sys -> %System32%\Machnm32.sys ->  [Ver =  | Size = 2304 bytes | Created Date = 9/25/2007 6:00:02 PM | Attr =    ]
Machnm64.sys -> %System32%\Machnm64.sys ->  [Ver =  | Size = 5632 bytes | Created Date = 9/25/2007 6:00:02 PM | Attr =    ]
xmaninf.exe -> %System32%\xmaninf.exe ->  [Ver =  | Size = 193888 bytes | Created Date = 9/18/2007 1:05:06 PM | Attr =    ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 10/6/2007 6:49:03 PM | Attr =    ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 10/5/2007 8:12:00 AM | Attr =    ]
ftdibus.sys -> %System32%\drivers\ftdibus.sys -> FTDI Ltd. [Ver = 2.02.04.1 built by: WinDDK | Size = 53184 bytes | Created Date = 9/22/2007 12:51:28 AM | Attr =    ]
ftser2k.sys -> %System32%\drivers\ftser2k.sys -> FTDI Ltd. [Ver = 2.02.04.1 built by: WinDDK | Size = 71488 bytes | Created Date = 9/22/2007 12:51:29 AM | Attr =    ]
IOPORT.SYS -> %System32%\drivers\IOPORT.SYS -> Erik Salaj [Ver = 2.00.0000.0 | Size = 6144 bytes | Created Date = 9/22/2007 12:21:18 AM | Attr =    ]

[Files/Folders - Modified Within 30 days]
BaseFolder -> %SystemDrive%\BaseFolder ->  [Folder | Modified Date = 10/6/2007 8:50:12 PM | Attr =    ]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 10/7/2007 12:51:04 AM | Attr =  H ]
cvavr -> %SystemDrive%\cvavr ->  [Folder | Modified Date = 10/1/2007 8:10:28 PM | Attr =    ]
FSUIPC_reg.bin -> %SystemDrive%\FSUIPC_reg.bin ->  [Ver =  | Size = 1328 bytes | Modified Date = 9/23/2007 10:31:46 PM | Attr =    ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 10/6/2007 8:32:36 PM | Attr = R  ]
Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 9/22/2007 2:25:44 AM | Attr =    ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 10/8/2007 10:23:18 AM | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 10/8/2007 6:37:04 PM | Attr =   S]
cvavr.ini -> %SystemRoot%\cvavr.ini ->  [Ver =  | Size = 2846 bytes | Modified Date = 10/6/2007 12:13:16 PM | Attr =    ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 10/6/2007 6:45:42 PM | Attr =   S]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 10/6/2007 7:01:26 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 10/7/2007 12:51:04 AM | Attr =  HS]
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP ->  [Ver =  | Size = 536416256 bytes | Modified Date = 10/8/2007 10:23:18 AM | Attr =    ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI ->  [Ver =  | Size = 0 bytes | Modified Date = 10/6/2007 7:05:20 PM | Attr =    ]
PIF -> %SystemRoot%\PIF ->  [Folder | Modified Date = 9/22/2007 12:21:20 AM | Attr =  H ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 10/6/2007 7:02:46 PM | Attr =    ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 10/4/2007 8:16:18 PM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 10/8/2007 12:33:24 PM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 10/6/2007 8:07:44 PM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 10/8/2007 6:38:54 PM | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 630 bytes | Modified Date = 10/6/2007 7:16:20 PM | Attr =    ]
At10.job -> %SystemRoot%\tasks\At10.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/28/2007 9:00:02 AM | Attr =    ]
At11.job -> %SystemRoot%\tasks\At11.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/1/2007 10:00:02 AM | Attr =    ]
At12.job -> %SystemRoot%\tasks\At12.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 11:00:02 AM | Attr =    ]
At13.job -> %SystemRoot%\tasks\At13.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 12:00:02 PM | Attr =    ]
At14.job -> %SystemRoot%\tasks\At14.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 1:00:02 PM | Attr =    ]
At15.job -> %SystemRoot%\tasks\At15.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 2:00:02 PM | Attr =    ]
At16.job -> %SystemRoot%\tasks\At16.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 3:00:02 PM | Attr =    ]
At17.job -> %SystemRoot%\tasks\At17.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 4:00:02 PM | Attr =    ]
At18.job -> %SystemRoot%\tasks\At18.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 5:00:02 PM | Attr =    ]
At19.job -> %SystemRoot%\tasks\At19.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 6:00:02 PM | Attr =    ]
At2.job -> %SystemRoot%\tasks\At2.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/8/2007 1:00:02 AM | Attr =    ]
At20.job -> %SystemRoot%\tasks\At20.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/7/2007 7:00:02 PM | Attr =    ]
At21.job -> %SystemRoot%\tasks\At21.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/7/2007 8:00:02 PM | Attr =    ]
At22.job -> %SystemRoot%\tasks\At22.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/7/2007 9:00:02 PM | Attr =    ]
At23.job -> %SystemRoot%\tasks\At23.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/7/2007 10:00:02 PM | Attr =    ]
At24.job -> %SystemRoot%\tasks\At24.job ->  [Ver =  | Size = 350 bytes | Modified Date = 10/7/2007 11:00:02 PM | Attr =    ]
At3.job -> %SystemRoot%\tasks\At3.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/22/2007 2:00:02 AM | Attr =    ]
At4.job -> %SystemRoot%\tasks\At4.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/22/2007 3:00:02 AM | Attr =    ]
At5.job -> %SystemRoot%\tasks\At5.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/20/2007 4:00:02 AM | Attr =    ]
At6.job -> %SystemRoot%\tasks\At6.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/20/2007 5:00:02 AM | Attr =    ]
At7.job -> %SystemRoot%\tasks\At7.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/20/2007 6:00:02 AM | Attr =    ]
At8.job -> %SystemRoot%\tasks\At8.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/20/2007 7:00:02 AM | Attr =    ]
At9.job -> %SystemRoot%\tasks\At9.job ->  [Ver =  | Size = 350 bytes | Modified Date = 9/28/2007 8:00:02 AM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 10/8/2007 6:37:12 PM | Attr =  H ]
bitcometres.dll -> %System32%\bitcometres.dll -> BitComet [Ver = 1, 0, 0, 1 | Size = 2560 bytes | Modified Date = 9/23/2007 11:25:50 PM | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 10/7/2007 12:15:18 PM | Attr =    ]
CONFIG.NT -> %System32%\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 9/15/2007 10:50:14 PM | Attr =    ]
Dajuba.zip -> %System32%\Dajuba.zip ->  [Ver =  | Size = 0 bytes | Modified Date = 9/12/2007 4:35:06 PM | Attr =    ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 10/5/2007 8:31:14 AM | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 10/6/2007 7:36:04 PM | Attr =    ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT ->  [Ver =  | Size = 209696 bytes | Modified Date = 9/23/2007 10:22:08 AM | Attr =    ]
npavinfo.dat -> %System32%\npavinfo.dat ->  [Ver =  | Size = 169 bytes | Modified Date = 10/1/2007 7:56:52 PM | Attr =    ]
npconf.md5 -> %System32%\npconf.md5 ->  [Ver =  | Size = 238 bytes | Modified Date = 10/1/2007 7:56:48 PM | Attr =    ]
npscanv.xml -> %System32%\npscanv.xml ->  [Ver =  | Size = 617 bytes | Modified Date = 10/1/2007 7:57:42 PM | Attr =    ]
npzupdate.conf -> %System32%\npzupdate.conf ->  [Ver =  | Size = 305 bytes | Modified Date = 10/1/2007 7:55:48 PM | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 10/2/2007 10:04:38 AM | Attr =    ]
xman.dll -> %System32%\xman.dll -> (c) Daum Communications. [Ver = 1, 2, 3, 3 | Size = 1467744 bytes | Modified Date = 9/18/2007 1:05:02 PM | Attr =    ]
xmaninf.exe -> %System32%\xmaninf.exe ->  [Ver =  | Size = 193888 bytes | Modified Date = 9/18/2007 1:05:06 PM | Attr =    ]

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #17 on: October 08, 2007, 11:51:18 AM »

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
 ->  -> File not found
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 6/11/2007 6:25:42 PM | Attr =    ]
Acrobat Assistant 8.0 -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\acrotray.exe -> Adobe Systems Inc. [Ver = 8.0.0.2006102200 | Size = 620152 bytes | Modified Date = 10/22/2006 11:24:02 PM | Attr =    ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 7:06:10 PM | Attr =    ]
Jet Detection -> %ProgramFiles%\Creative\SBLive\Program\ADGJDet.exe ->  [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 11/29/2001 1:00:00 AM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr =    ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3959 | Size = 185896 bytes | Modified Date = 5/24/2007 12:08:42 PM | Attr =    ]
WINDVDPatch -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 1, 0, 0, 2 | Size = 24576 bytes | Modified Date = 7/2/2002 5:56:00 PM | Attr =    ]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
 ->  -> File not found
BitComet -> E:\Program Files\BitComet\BitComet.exe -> www.BitComet.com [Ver = 0.93 | Size = 6338360 bytes | Modified Date = 9/10/2007 9:33:42 PM | Attr =    ]
DrvMon.exe -> %System32%\DrvMon.exe -> Alcor Micro, Corp. [Ver = 1, 0, 0, 7 | Size = 53248 bytes | Modified Date = 6/15/2004 10:30:18 PM | Attr =    ]
Start WingMan Profiler -> %ProgramFiles%\Logitech\Profiler\LWEMon.exe -> Logitech Inc. [Ver = 4.60.349 | Size = 73728 bytes | Modified Date = 4/18/2005 11:16:02 AM | Attr =    ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Acrobat Speed Launcher.lnk -> %SystemRoot%\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ->  [Ver =  | Size = 295606 bytes | Modified Date = 5/24/2007 11:13:58 AM | Attr = R  ]
%AllUsersStartup%\Adobe Acrobat Synchronizer.lnk -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ->  [Ver = 8.0.0.0 | Size = 734872 bytes | Modified Date = 10/23/2006 12:01:50 AM | Attr =    ]
< User Startup > -> C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup ->
%UserStartup%\Adobe Gamma.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 3/16/2005 7:16:50 PM | Attr =    ]
%UserStartup%\CaptureWiz.lnk -> %ProgramFiles%\CaptureWiz\Pro\CaptureWiz.exe -> PixelMetrics [Ver = 3.10.0.0 | Size = 2011168 bytes | Modified Date = 4/15/2007 3:48:04 PM | Attr =    ]
%UserStartup%\MagicDisc.lnk -> %ProgramFiles%\MagicDisc\MagicDisc.exe ->  [Ver =  | Size = 534016 bytes | Modified Date = 9/26/2006 9:59:14 AM | Attr =    ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 9:29:58 PM | Attr =    ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->

[File String Scan - Non-Microsoft Only]
File scan skipped for file %SystemRoot%\MEMORY.DMP -> File size too big (536416256 bytes) ->
aspack ,  -> %System32%\ALZALZ.BIN ->  [Ver =  | Size = 63488 bytes | Modified Date = 8/30/2006 5:07:24 PM | Attr =    ]
aspack ,  -> %System32%\ALZZip.BIN ->  [Ver =  | Size = 43008 bytes | Modified Date = 8/30/2006 5:07:24 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 7:09:50 PM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 8/23/2001 9:00:00 PM | Attr =    ]
PEC2 , PECompact2 ,  -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.6.1.4 | Size = 740442 bytes | Modified Date = 5/31/2007 3:44:56 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\ICKHTTPS2.OCX -> devSoft Inc. - www.dev-soft.com [Ver = 2.0.0.31 | Size = 100464 bytes | Modified Date = 5/21/2007 1:32:34 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\mwace.dll -> MW Graphics [Ver = 4.00.18 | Size = 56832 bytes | Modified Date = 5/14/2004 11:13:46 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\mwdds.dll -> MW Graphics [Ver = 4, 0, 0, 56 | Size = 104448 bytes | Modified Date = 6/17/2006 12:52:52 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\mwgfx.dll -> MW Graphics [Ver = 4.00.213 | Size = 183296 bytes | Modified Date = 6/17/2006 11:44:32 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\mwgfx24.dll -> MW Publishing [Ver = 4.00.55 | Size = 238080 bytes | Modified Date = 11/13/2005 1:28:44 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\NaverBroker.exe ->  [Ver = 1, 0, 0, 1 | Size = 30488 bytes | Modified Date = 4/5/2007 10:56:46 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\NaverFDL.exe -> Dacom Multimedia Internet Corp. [Ver = 4, 0, 0, 66 | Size = 284440 bytes | Modified Date = 4/5/2007 10:56:42 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\NaverFile.ocx -> Dacom Multimedia Internet Corp. [Ver = 3, 6, 0, 22 | Size = 280344 bytes | Modified Date = 4/5/2007 10:56:38 AM | Attr =    ]
KavSvc ,  -> %System32%\npmonz.exe -> INCA Internet Co., Ltd [Ver = 2007.6.26.1 | Size = 2000667 bytes | Modified Date = 6/27/2007 10:10:38 AM | Attr =    ]
UPX! , UPX0 , Thawte Consulting ,  -> %System32%\pandora_setup_mini.ocx -> Pandora TV [Ver = 1.0.2.23 | Size = 272136 bytes | Modified Date = 8/26/2007 11:15:08 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2764 | Size = 185952 bytes | Modified Date = 5/24/2007 12:08:56 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\STAdminUAC.exe -> SHOTECH Corp. [Ver = 1, 0, 0, 1 | Size = 38584 bytes | Modified Date = 3/6/2007 4:15:56 PM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 8/23/2001 9:00:00 PM | Attr =    ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 8/23/2001 9:00:00 PM | Attr =    ]
PTech ,  -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:38 PM | Attr =    ]
PTech ,  -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:38 PM | Attr =    ]

< End of report >

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #18 on: October 08, 2007, 11:52:42 AM »
 ;) Thanks you so much.

By the way, any recommendation regarding the firewall?

Thanks again!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89212
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #19 on: October 08, 2007, 03:48:01 PM »
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.

There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: 1.reg Malware - How to get rid of it?
« Reply #20 on: October 08, 2007, 05:32:56 PM »
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: 1.reg Malware - How to get rid of it?
« Reply #21 on: October 08, 2007, 10:16:18 PM »
Hi there sorry for the delay, but alas work interferes  ;D

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote
[Registry - Additional Scans - Non-Microsoft Only]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .chm [@ = chm.file] -> PersistentHandler = Reg Data - Key not found
YN -> .hlp [@ = hlpfile] -> PersistentHandler = Reg Data - Key not found
YN -> .jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
YN -> .pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
YN -> .scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
YN -> .vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
YN -> .wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
YN -> .wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found
[Files/Folders - Created Within 30 days]
YY -> Dajuba.zip -> %System32%\Dajuba.zip
NY -> xmaninf.exe -> %System32%\xmaninf.exe
[Files/Folders - Modified Within 30 days]
NY -> At10.job -> %SystemRoot%\tasks\At10.job
NY -> At11.job -> %SystemRoot%\tasks\At11.job
NY -> At12.job -> %SystemRoot%\tasks\At12.job
NY -> At13.job -> %SystemRoot%\tasks\At13.job
NY -> At14.job -> %SystemRoot%\tasks\At14.job
NY -> At15.job -> %SystemRoot%\tasks\At15.job
NY -> At16.job -> %SystemRoot%\tasks\At16.job
NY -> At17.job -> %SystemRoot%\tasks\At17.job
NY -> At18.job -> %SystemRoot%\tasks\At18.job
NY -> At19.job -> %SystemRoot%\tasks\At19.job
NY -> At2.job -> %SystemRoot%\tasks\At2.job
NY -> At20.job -> %SystemRoot%\tasks\At20.job
NY -> At21.job -> %SystemRoot%\tasks\At21.job
NY -> At22.job -> %SystemRoot%\tasks\At22.job
NY -> At23.job -> %SystemRoot%\tasks\At23.job
NY -> At24.job -> %SystemRoot%\tasks\At24.job
NY -> At3.job -> %SystemRoot%\tasks\At3.job
NY -> At4.job -> %SystemRoot%\tasks\At4.job
NY -> At5.job -> %SystemRoot%\tasks\At5.job
NY -> At6.job -> %SystemRoot%\tasks\At6.job
NY -> At7.job -> %SystemRoot%\tasks\At7.job
NY -> At8.job -> %SystemRoot%\tasks\At8.job
NY -> At9.job -> %SystemRoot%\tasks\At9.job
NY -> Dajuba.zip -> %System32%\Dajuba.zip
NY -> npavinfo.dat -> %System32%\npavinfo.dat
NY -> npconf.md5 -> %System32%\npconf.md5
NY -> npscanv.xml -> %System32%\npscanv.xml
NY -> npzupdate.conf -> %System32%\npzupdate.conf
NY -> xmaninf.exe -> %System32%\xmaninf.exe


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #22 on: October 09, 2007, 03:50:37 AM »
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.chm written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.hlp written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.jse written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.pif written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.scr written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.vbe written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.wsf written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\.wsh written successfully.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\Dajuba.zip moved successfully.
C:\WINDOWS\SYSTEM32\xmaninf.exe moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
File C:\WINDOWS\SYSTEM32\Dajuba.zip not found!
C:\WINDOWS\SYSTEM32\npavinfo.dat moved successfully.
C:\WINDOWS\SYSTEM32\npconf.md5 moved successfully.
C:\WINDOWS\SYSTEM32\npscanv.xml moved successfully.
C:\WINDOWS\SYSTEM32\npzupdate.conf moved successfully.
File C:\WINDOWS\SYSTEM32\xmaninf.exe not found!
File  not found!
File  not found!
< End of log >
Created on 10/09/2007 10:50:18


Thanks a lot! :D

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #23 on: October 09, 2007, 05:52:26 AM »
Hi there,

By the way, it seems that my computer is getting worse....I can't browse the internet using IE or firefox more frequently(before that it happens onces in a while).

I guess I really need to reformat my computer ???

Thanks
« Last Edit: October 09, 2007, 05:54:29 AM by jonathanlkm »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: 1.reg Malware - How to get rid of it?
« Reply #24 on: October 09, 2007, 06:39:53 AM »

I guess I really need to reformat my computer ???


Whoa, hold on a minute. At least wait to hear back from essexboy. Reformatting is pretty drastic and a last ditch effort.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89212
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #25 on: October 09, 2007, 02:07:58 PM »
By the way, it seems that my computer is getting worse....I can't browse the internet using IE or firefox more frequently(before that it happens onces in a while).

I guess I really need to reformat my computer ???

Why can't you browse, what are the symptoms, what errors are displayed, etc. try to be more detailed ?
Is this for all sites or just specific sites (if so examples) ?

Did you get around to getting a firewall (?) as I said without one cleaning your system could be an uphill battle, but as oldman said a reformat is a last resort and I doubt you are close.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jonathanlkm

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #26 on: October 09, 2007, 03:38:33 PM »
Quote
Why can't you browse, what are the symptoms, what errors are displayed, etc. try to be more detailed ?
Is this for all sites or just specific sites (if so examples) ?

Did you get around to getting a firewall (?) as I said without one cleaning your system could be an uphill battle, but as oldman said a reformat is a last resort and I doubt you are close.

Well.....all of the websites cannot be accessed by my browser (eg:google.com,yahoo.com etc). In addition, MSN messenger cannot be logged in also. The problem is something to do with DNS(DNS error)/key ports as reported by the connection troubleshooter. Yes I did get the firewall. I think it's a virus which has the capability to mess up with the internet connection. Sometimes, the internet browser will report "not valid address typed" although I had enter the correct address eg www.yahoo.com. :-\

 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89212
  • No support PMs thanks
Re: 1.reg Malware - How to get rid of it?
« Reply #27 on: October 09, 2007, 05:09:52 PM »
If you got a firewall (what was it), it could be blocking the ashWebSv.exe, the web shield from connecting so no browsing.
Does it allow ashWebSv.exe internet access ?
- If it does delete the entry for it and reconnect to the internet, this will force the firewall to ask permission again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: 1.reg Malware - How to get rid of it?
« Reply #28 on: October 09, 2007, 08:10:35 PM »
If you got a firewall (what was it), it could be blocking the ashWebSv.exe, the web shield from connecting so no browsing.
Does it allow ashWebSv.exe internet access ?
- If it does delete the entry for it and reconnect to the internet, this will force the firewall to ask permission again.
My first thoughts as well.  All of the malware  that I saw has gone so unless a new infection was picked up there should not be a problem.

 

MTCca

  • Guest
Re: 1.reg Malware - How to get rid of it?
« Reply #29 on: October 11, 2007, 05:45:30 PM »
OK...Isn't the point of having Avast is so it can find this and delete it?  Why does it not know how to handle this old malware?
 ???