1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Panda Found 3 Unwanted Tools

Discussion in 'Virus & Other Malware Removal' started by Gabriel, Jan 26, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Gabriel

    Gabriel Account Closed Thread Starter

    Joined:
    May 1, 2003
    Messages:
    17,353
    Hi...How do I get these out...I did a full panda scan online and it found these...I am most concerned of course with the first 3 HKEY things........:( Any help appreciated.


    Incident Status Location

    Potentially unwanted tool:application/funweb
    Not disinfected HKEY_CLASSES_ROOT\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
    Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
    Potentially unwanted tool:application/myway
    Not disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
    Spyware:Cookie/Atlas DMT
    Not disinfected E:\Documents and Settings\Michele\Application Data\Mozilla\Firefox\Profiles\8inffwyh.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Zedo
    Not disinfected E:\Documents and Settings\Michele\Application Data\Mozilla\Firefox\Profiles\8inffwyh.default\cookies.txt[.zedo.com/]
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Run HijackThis and click Do a system scan and save a log file
    Your HijackThis log will open in Notepad. Post the contents of the log here
     
  3. Gabriel

    Gabriel Account Closed Thread Starter

    Joined:
    May 1, 2003
    Messages:
    17,353
    Logfile of HijackThis v1.99.1
    Scan saved at 8:13:24 PM, on 1/26/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\LEXBCES.EXE
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\system32\LEXPPS.EXE
    E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    E:\Program Files\AVPersonal\AVWUPSRV.EXE
    E:\WINNT\system32\DRIVERS\dcfssvc.exe
    E:\WINNT\System32\svchost.exe
    E:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    E:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    E:\WINNT\system32\regsvc.exe
    E:\WINNT\system32\MSTask.exe
    E:\WINNT\System32\WBEM\WinMgmt.exe
    E:\WINNT\system32\mspmspsv.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    E:\Program Files\QuickTime\qttask.exe
    E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\Program Files\WinZip\WZQKPICK.EXE
    E:\ImageMate CompactFlash USB\SandIcon.exe
    E:\Program Files\WinTidy\WinTidy.exe
    E:\Documents and Settings\Michele\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PrinTray] E:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVGCtrl] E:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [AVSCHED32] E:\Program Files\AVPersonal\AVSched32.EXE /min
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: SandIcon.lnk = E:\ImageMate CompactFlash USB\SandIcon.exe
    O4 - Startup: WinTidy.lnk = E:\Program Files\WinTidy\WinTidy.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122703720927
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O20 - Winlogon Notify: nwprovau - E:\WINNT\SYSTEM32\nwprovau.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINNT\System32\Ati2evxx.exe
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - E:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - E:\WINNT\system32\DRIVERS\dcfssvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
    O23 - Service: Fix-It Task Manager - Ontrack Data International - E:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINNT\system32\LEXBCES.EXE
    O23 - Service: ptssvc - KODAK - E:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
     
  4. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Are you familiar with editing the registry?
    You can go to Start>>Run>>regedit
    Use the left side of the screen to browse here:
    HKEY_CLASSES_ROOT\CLSID\
    Then select and delete these 3 keys:
    {00A6FAF6-072E-44CF-8957-5838F569A31D}
    {147A976E-EEE1-4377-8EA7-4716E4CDD239}
    {9AFB8248-617F-460D-9366-D71CDEDA3179}

    Be careful not to delete anything else besides those.
     
  5. Gabriel

    Gabriel Account Closed Thread Starter

    Joined:
    May 1, 2003
    Messages:
    17,353
    Hi Brendan...thank-you so much for assisting me....I gave the registry a look, and did find the 3 keys....however, two of them have some of the capitol letters of the key name in lower case.....e.g....{00A6FAF6-072E-44CF-8957-5838F569A31D} reads as {00A6FAF6-072E-44cf-8957-5838F569A31D}...in the third set of numerals, the c and f are lower case in the actual registry in my machine....
    is that the wrong one, or is that the right one? You said to delete the exact ones? I am confused and afraid to delete them.
     
  6. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    You can go ahead and delete those, the case does not matter.
     
  7. Gabriel

    Gabriel Account Closed Thread Starter

    Joined:
    May 1, 2003
    Messages:
    17,353
    Thanks much Brendon...I deleted them and my PC is still going so I guess they were the right ones to delete:) ...Did I need to do anything else before I mark the thread solved....?
     
  8. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Looks like its fixed :)
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Gabriel....that darn Smiley Central!!! :p See you back in Hawaii :D
     
  10. Gabriel

    Gabriel Account Closed Thread Starter

    Joined:
    May 1, 2003
    Messages:
    17,353
    Yes Cheeseball...i had a sneaking suspicion they left something for me, and sure enough Panda found it:)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/437566

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice