Ad- & Spyware Specials

[Ruby]

ADW_ADSTAT.A

Discovery Date: Jan 31, 2005
Description & Threat Type: Adware

Systems Affected: Windows 95, 98, ME, NT, 2000, and XP.

This adware may come from freeware bundled packages. Upon execution it creates the folder Windows AdStatus in the Windows program files directory. It drops the following files in its created folder:

* Info.txt
* WinStat.exe
* WinStatComm.dll
* WinStatKeep.exe

It also creates the following registry entry so that it runs at Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\Run
Windows AdStatus = "C:\Program Files\Windows AdStatus\WinStat.exe"

It also creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\
Windows AdStatus

HKEY_LOCAL_MACHINE\Software\Microsoft>Windows>CurrentVersion >Uninstall
Windows AdStatus


Solution:

TREND MICRO SOLUTION

* Minimum scan engine version needed: 7.100
TMAPTN version needed: 214.13

* DCE version needed: 3.8
TMADCE version needed: 148.02

MANUAL REMOVAL INSTRUCTIONS

Using the Grayware Uninstall Option

To remove this grayware program using its uninstall option, do the following:

1. Click Start>Settings>Control Panel.
2. Double-click on Add/Remove Programs.
3. In the displayed list, choose the following program:
Windows Adstatus
4. Click on Change/Remove.
5. Follow the instructions on the dialog box that appears.
6. Close the Add/Remove Programs window, and the Control Panel window.

Identifying the Grayware Program

Download the latest grayware pattern file and scan your system. Note all files detected as ADW_ADSTAT.A.

Terminating the Grayware Program

This procedure terminates the running grayware process. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the grayware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected grayware files in the list of running processes.
5. To check if the grayware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the grayware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Grayware Entries from the Registry

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Windows AdStatus = "C:\Program Files\Windows AdStatus\WinStat.exe"
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>
5. In the right panel, locate and delete the entry:
Windows AdStatus
6. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Uninstall
7. In the right panel, locate and delete the entry:
Windows AdStatus
8. Close Registry Editor.

NOTE: If you were not able to terminate the grayware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Download and unzip the latest grayware pattern file and scan your system. Then, delete all files detected as ADW_ADSTAT.A.

(Copy of the original TREND MICRO Site) For more information read here: ADW_ADSTAT.A

[Ruby]

Adware.Begin2search

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Behavior
Adware.Begin2search is an Internet Explorer toolbar that displays pop-up advertisements when certain URLs are visited.

Symptoms
The files are detected as Adware.Begin2search.

Transmission
This adware component must be manually installed or installed as a component of another program.

technical details
File names: reg6523.exe; winb2s32.dll

When Adware.Begin2search is executed, it performs the following actions:
1. Creates the following files:
* %System%\reg6523.exe
* %System%\winb2s32.dll
* %System%dsktrf.dll

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds values to the following registry sub keys:

HKEY_CLASSES_ROOT\winb2s.dbi.1
HKEY_CLASSES_ROOT\winb2s.dbi
HKEY_CLASSES_ROOT\winb2s.iiittt.1
HKEY_CLASSES_ROOT\winb2s.iiittt
HKEY_CLASSES_ROOT\winb2s.momo.1
HKEY_CLASSES_ROOT\winb2s.momo
HKEY_CLASSES_ROOT\winb2s.ohb.1
HKEY_CLASSES_ROOT\winb2s.ohb
HKEY_CLASSES_ROOT\winb2s.amo.1
HKEY_CLASSES_ROOT\winb2s.amo
HKEY_CLASSES_ROOT\CLSID\{52FE5233-367C-4EFB-BDD7-0BE4D212C107}
HKEY_CLASSES_ROOT\CLSID\{07E9CDF4-20D2-46B1-B681-663968F527CE}
HKEY_CLASSES_ROOT\CLSID\{7C5E5671-7A1D-4AE8-91F0-496ADF2825F7}
HKEY_CLASSES_ROOT\CLSID\{4D568F0F-8AC9-40AB-88B7-415134C78777}
HKEY_CLASSES_ROOT\CLSID\{09C14745-90FD-42D1-9276-4924D7DBC274}

3. Adds a search toolbar to Internet Explorer.

4. Displays pop-up ads.

5. May add the following value:

"{52FE5233-367C-4EFB-BDD7-0BE4D212C107}" = "[no value]"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

6. May also add values to the following registry sub keys:
HKEY_CLASSES_ROOT\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383}

HKEY_CLASSES_ROOT\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54}
HKEY_CLASSES_ROOT\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A}
HKEY_CLASSES_ROOT\Interface\{F912C325-5B26-4AD6-BF39-84370833E972}
HKEY_CLASSES_ROOT\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7}
HKEY_CLASSES_ROOT\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12}
HKEY_CLASSES_ROOT\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb.1
HKEY_ALL_USERS\Software\_dsktptr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6024FCD5-91FC-4DC7-8481-63EABD5051D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4776F3A-6936-4A9C-B2DA-E57C239FD2F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF81672F-13FF-401F-8662-6E895C564CC4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777}
HKEY_CURRENT_USER\SOFTWARE\aaa_soft

----------------------

To delete the keys from the registry.
Please load down Registrar Lite.

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a back up of the Windows registry," for instructions.

1. Click Start > Run.
2. Type regedit

Then click OK.

3. Navigate and delete the following keys:

HKEY_CLASSES_ROOT\winb2s.dbi.1
HKEY_CLASSES_ROOT\winb2s.dbi
HKEY_CLASSES_ROOT\winb2s.iiittt.1
HKEY_CLASSES_ROOT\winb2s.iiittt
HKEY_CLASSES_ROOT\winb2s.momo.1
HKEY_CLASSES_ROOT\winb2s.momo
HKEY_CLASSES_ROOT\winb2s.ohb.1
HKEY_CLASSES_ROOT\winb2s.ohb
HKEY_CLASSES_ROOT\winb2s.amo.1
HKEY_CLASSES_ROOT\winb2s.amo
HKEY_CLASSES_ROOT\CLSID\{52FE5233-367C-4EFB-BDD7-0BE4D212C107}
HKEY_CLASSES_ROOT\CLSID\{07E9CDF4-20D2-46B1-B681-663968F527CE}
HKEY_CLASSES_ROOT\CLSID\{7C5E5671-7A1D-4AE8-91F0-496ADF2825F7}
HKEY_CLASSES_ROOT\CLSID\{4D568F0F-8AC9-40AB-88B7-415134C78777}
HKEY_CLASSES_ROOT\CLSID\{09C14745-90FD-42D1-9276-4924D7DBC274}
HKEY_CLASSES_ROOT\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383}
HKEY_CLASSES_ROOT\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54}
HKEY_CLASSES_ROOT\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A}
HKEY_CLASSES_ROOT\Interface\{F912C325-5B26-4AD6-BF39-84370833E972}
HKEY_CLASSES_ROOT\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7}
HKEY_CLASSES_ROOT\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12}
HKEY_CLASSES_ROOT\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb.1
HKEY_ALL_USERS\Software\_dsktptr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6024FCD5-91FC-4DC7-8481-63EABD5051D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4776F3A-6936-4A9C-B2DA-E57C239FD2F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF81672F-13FF-401F-8662-6E895C564CC4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777}
HKEY_CURRENT_USER\SOFTWARE\aaa_soft

4. Delete the following value:

"{52FE5233-367C-4EFB-BDD7-0BE4D212C107}" = "[no value]"

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

5. Exit the Registry Editor.

Read more: Symantec
Copy of the Original Site of SYMANTEC

[Ruby]

WinTools Removal Instructions and Help

What is WinTools?

WinTools appears to be a variant of Huntbar. It is very persistent and extremely difficult to remove. It creates its own folder under Program Files/Common Files called WinTools. All of its files appear to be contained within this folder.

How do I Remove WinTools?

Although there are many different methods across the web to remove this parasite, here is the most reliable way of doing this.

1) While online, download HiJackThis. You may want to read through the HiJackThis tutorial as well.

2) Reboot your computer into Safe Mode, you may want to also Turn off System Restore in Windows XP/ME as well to remove any backups of the files you are about to delete.

3) Remove the Startup Entries in the Registry

* Click on Start, Run, Type REGEDIT and Click OK
* Click the pluses(+) next to the following items
o HKEY_LOCAL_MACHINE
o Software
o Microsoft
o Windows
o CurrentVersion
o Run
* Right-Click on the file WinTools and click DELETE
* Click the pluses(+) next to the following items
o HKEY_LOCAL_MACHINE
o Software
o Microsoft
o Windows
o CurrentVersion
o RunServices
* Right-Click on the file WinTools and click DELETE
* Close REGEDIT

4) Run HiJackThis (while in Safe Mode) and Delete any entries relating to WinTools including

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL

Although the following entries should have been deleted in Step 3, delete these entries if they still exist.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe

5) Delete the WinTools folder and all associated files

* Open My Computer, Drive C, Program Files, Common Files
* Right-click on the WinTools folder (if it exists) and Delete it

6) You should also delete or clean up your hosts file

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts

7) Reboot the computer in Normal Mode and run HiJackThis again to test (Wintools should be gone)

==============

Attention: don't use wintools.exe

The Removal-Tool offered in the Internet "wintools.exe" is another parasite. Please don't use it!

What Is It?
Ibis Toolbar - wintools.exe

What Does it Do?
This toolbar is also a search hijacker and BHO. It will also try to install a number of other applications which according to the terms you agreed to while installing it CAN do! IBIS has been known to prevent you from visiting a number of popular spyware removal sites.

Web Search features one-click access to the search results of fifteen (15) of the best search providers on the Internet! Now, you can search for relevant web results, images, audio, news and much more from one convenient location! Web Search is your best "search friendly" tool on the web, saving you time and effort. Source

Removal Instructions:
Our Ibis Toolbar Removal guide can be found here.

Overview:
This toolbar is also a search hijacker and BHO. It will also try to install a number of other applications which according to the terms you agreed to while installing it CAN do! IBIS has been known to prevent you from visiting a number of popular spyware removal sites.

Destroy Autorun:

Delete the following keys
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ run\wintools
From: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \run\
emusicclient systray,
fash
wintools

From: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \runservices\
wintools
wintools"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \runservicesonce\wintools

Reboot your system then:

Make sure you click start --> Run and type in msconfig. Then select the startup tab. Any references to the processes below.

Unregister DLLs:

Tip: this is only a list of known files/locations. You will want to do a search by the name of the file to see if they're on your system. A while back I wrote a guide* to Register/remove DLL or AX files which you will need if you don't know how to unregister these files.

Each file is in several locations so you'll need to search for them and unregister + delete them in every location you find.

btiein.dll
f3ezsetp.dll
sep.dll
toolbar.dll
wtoolsb.dll

End Processes (may or may not exist):

iexploreskins.exe
emusicclient.exe
fash.exe
wintools.exe
wtoolsa.exe
wsup.exe
wtoolss.exe

Remove Directories:

Program Files\common files\wintools\
Program Files\common~1\wintools\
Program Files\funwebproducts\installr\2.bin

Clean your Registry:

RegScrubXP 3.25
RegCleaner
EasyCleaner
Microsoft RegClean
WT RegCleanerXP
TweakNow RegCleaner

You should be back to normal IF this was your only problem.
I suggest you post in our HJT forum since its not likely that this is your only bug.

==============

Guide*

You can use the Regsvr32 tool (Regsvr32.exe) to register and unregister object linking and embedding (OLE) controls such as dynamic-link library (DLL) or ActiveX Controls (OCX) files that are self-registerable. This may be necessary to troubleshoot some issues with Windows, Microsoft Internet Explorer, or other programs. It is also frequently used by program hacks.

1.) Copy the files you would like to register to [C:\WINDOWS\system32]
2.) Go to the command prompt Start --> Run --> cmd
3a.) To install/register the file type in: regsvr32 file.dll or regsvr32 file.ax
3b.) To uninstall the files type: regsvr32 -u file.dll or regsvr32 -u file.ax
4.) Some type of message should be displayed that says you successfully registered or unregistered the file

Extra info:
Regsvr32 [/u] [/n] [/i[:cmdline]] dllname

/u - Unregister server<BR/>
/i - Call DllInstall passing it an optional [cmdline];
when used with /u calls dll uninstall
/n - do not call DllRegisterServer; this option must
be used with /i
More information @ MS

==============

wintools.exe is Spyware! Remove that beatch
Search for this item in the startup DB here.

==============

Copy of the Original Articles, made by Ruby for the Users of HijackThis.de

[Unregistriert]

I have had the remains of this trojan for months and I am unable to get rid of something called "shopping wizard". I have followed the instructions given in this post http://forum.hijackthis.de/showthread.php?t=3432 and have the log that it created. I'd appreciate any help anyone might be able to offer. Thanks in advance. -Christine

[Ruby]

Welcome to HijackThis.de @ Christine

Please load down HijackThis.
Run it and have it save a logfile.
Post that HijackThis Logfile in vB Code!
Note: Announcement....

Download for free:
Registrar Lite


For the greatest safety, it is recommended that if you edit the registry, you
back up the entire registry.

Removal Instructions

1) Open Registry Editor. Click Start >Run > type REGEDIT > then press Enter.
You can also use Registrar Lite:

2) In the left panel, double-click to:
HKEY_CLASSES_ROOT>CLSID>{A37B1EF1-FF7A-A47A-8449-3BCE6606697A}>InprocServer32

3) In the right panel, locate and delete the entry or entries:
@ = C:\WINDOWS\System32\sdkns32.dll
ThreadingModel =Apartment

4) In the left panel, double-click to:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Explorer>Browser Helper Objects>{A37B1EF1-FF7A-A47A-8449-3BCE6606697A}

5) In the right panel, locate and delete the entry or entries:
@ = ""

6) In the left panel, double-click to:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Uninstall>HSA

7) In the right panel, locate and delete the entry or entries:
DisplayName = Home Search Assistent
UninstallString = "rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/HomeSearchAssistant.html"

8) In the left panel, double-click to:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Uninstall>SE

9) In the right panel, locate and delete the entry or entries:
DisplayName = Search Extender
UninstallString = "rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/SearchExtender.html"

10) In the left panel, double-click to:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Uninstall>SW

11) In the right panel, locate and delete the entry or entries:
DisplayName = Shopping Wizard
UninstallString = "rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html"

12) Close the Registry editor.

Source

[Ruby]

Aze Search Toolbar
Alias: Azsearch Toolbar, CoolWebSearch.MWSearch (Microsoft Anti-Spy), SimpleBar Toolbar, ZToolbar,

Manual Removal

Follow these steps to remove Aze Search Toolbar from your machine.
Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

Stop Running Processes:

Kill these running processes with Task Manager:
(Instruction)

un.exe
uninstall11.exe
unv2.exe

Unregister DLLs:
(Instruction)

Unregister these DLLs with Regsvr32, then reboot:

azesearch.dll
azesearch2.dll
iasad.dll
systemroot+\system32\iasadm.dll

Clean Registry:
(Instruction)

Remove these registry items (if present) with RegEdit:
(You can use Registrar Lite)

START > run > (type) REGEDIT > (press) [enter]:

HKEY_CLASSES_ROOT\addressbar.loader
HKEY_CLASSES_ROOT\addressbar.loader.1
HKEY_CLASSES_ROOT\azentretien.loader
HKEY_CLASSES_ROOT\azentretien.loader.1
HKEY_CLASSES_ROOT\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}
HKEY_CLASSES_ROOT\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}
HKEY_CLASSES_ROOT\clsid\{a6790aa5-c6c7-4bcf-a46d-0fdac4ea90eb}
HKEY_CLASSES_ROOT\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}
HKEY_CLASSES_ROOT\clsid\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}
HKEY_CLASSES_ROOT\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}
HKEY_CLASSES_ROOT\clsid\{f65b197f-8260-4d52-909a-f70118e646eb}
HKEY_CLASSES_ROOT\clsid\{fff5092f-7172-4018-827b-fa5868fb0478}
HKEY_CLASSES_ROOT\inferface\{636ff82a-830a-42ea-938b-6dc78b2ac30c}
HKEY_CLASSES_ROOT\interface\{38252777-2500-456e-8b3d-a55850306da2}
HKEY_CLASSES_ROOT\interface\{6deee498-08cc-43f0-bca0-dbb5a25c9501}
HKEY_CLASSES_ROOT\interface\{a55c3ba7-db1e-4652-867e-055ceafe8018}
HKEY_CLASSES_ROOT\interface\{dcfab192-4a0e-4720-8e24-70d5f0cb8c39}
HKEY_CLASSES_ROOT\interface\{ef77d50b-5767-4e0e-a3a4-098670025f1d}
HKEY_CLASSES_ROOT\interface\{f4394f24-163d-430b-b5af-b68b56031b99}
HKEY_CLASSES_ROOT\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}
HKEY_CLASSES_ROOT\typelib\{84c94803-b5ec-4491-b2be-7b113e013b77}
HKEY_CLASSES_ROOT\typelib\{dea43ce3-d57b-45f6-a4d1-110e652ced11}
HKEY_LOCAL_MACHINE\software\azentretienco
HKEY_LOCAL_MACHINE\software\azesearchco
HKEY_LOCAL_MACHINE\software\azesearchco\azesearch
HKEY_LOCAL_MACHINE\software\loaderco
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{a19ef336-01d4-48e6-926a-fe7e1c747aed}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \explorer\browser helper objects\{fff5092f-7172-4018-827b-fa5868fb0478}

Remove Files:
(Instruction)

Remove these files (if present) with Windows Explorer:

Code:

404[1].htm
adult[1].url
avp32.rpt
aze search toolbar.txt
azesearch.dll
azesearch[1].cabb
azesearch2.dll
azesearch2.xmll
desktopdir+\adult.url
desktopdir+\casino.url
desktopdir+\imagemagick.url
desktopdir+\shopping.url
desktopdir+\spyware remover.url
f.csv.lnk
favorites+\adult\adult dating.url
favorites+\adult\anal ***.url
favorites+\adult\animal ***.url
favorites+\adult\bdsm.url
favorites+\adult\escorts.url
favorites+\adult\fetish.url
favorites+\adult\free ***.url
favorites+\adult\gay\free gay pic.url
favorites+\adult\gay\gay dating.url
favorites+\adult\gay\gay man.url
favorites+\adult\gay\gay movies.url
favorites+\adult\gay\gay personals.url
favorites+\adult\gay\gay porn.url
favorites+\adult\gay\gay ***.url
favorites+\adult\gay\gay single.url
favorites+\adult\gay\gay teen.url
favorites+\adult\group ***.url
favorites+\adult\lesbians\free lesbian porn.url
favorites+\adult\lesbians\hot lesbian.url
favorites+\adult\lesbians\lesbian kissing.url
favorites+\adult\lesbians\lesbian movies.url
favorites+\adult\lesbians\lesbian orgy.url
favorites+\adult\lesbians\lesbian porn.url
favorites+\adult\lesbians\lesbian ***.url
favorites+\adult\lesbians\lesbian video.url
favorites+\adult\lesbians\lesbians.url
favorites+\adult\lesbians\teen lesbian.url
favorites+\adult\mature ***.url
favorites+\adult\penis enlargement.url
favorites+\adult\porn video.url
favorites+\adult\porn.url
favorites+\adult\***.url
favorites+\adult\single girls.url
favorites+\adult\swingers.url
favorites+\adult\teen ***.url
favorites+\adult\teens\nude teen.url
favorites+\adult\teens\teen chat.url
favorites+\adult\teens\teen model.url
favorites+\adult\teens\teen porn.url
favorites+\adult\teens\teen pussy.url
favorites+\adult\teens\teen ***.url
favorites+\adult\teens\teens.url
favorites+\adult\teens\virgins.url
favorites+\adult\teens\young teen.url
favorites+\favorites\adware.url
favorites+\favorites\cars.url
favorites+\favorites\computer privacy\antivirus.url
favorites+\favorites\computer privacy\computer privacy.url
favorites+\favorites\computer privacy\computer security.url
favorites+\favorites\computer privacy\firewalls.url
favorites+\favorites\computer privacy\norton antivirus.url
favorites+\favorites\computer privacy\pc cleaner.url
favorites+\favorites\computer privacy\proxy list.url
favorites+\favorites\computer privacy\spyware remover.url
favorites+\favorites\computer privacy\virus scanner.url
favorites+\favorites\computer security.url
favorites+\favorites\dating.url
favorites+\favorites\dating\adult datings.url
favorites+\favorites\dating\brides.url
favorites+\favorites\dating\chat.url
favorites+\favorites\dating\dating.url
favorites+\favorites\dating\free dating.url
favorites+\favorites\dating\free gay dating.url
favorites+\favorites\dating\free mature dating.url
favorites+\favorites\dating\free single chat.url
favorites+\favorites\dating\free teen dating.url
favorites+\favorites\dating\russian dating.url
favorites+\favorites\dating\russian girls.url
favorites+\favorites\dating\*** contacts.url
favorites+\favorites\dating\*** cruise.url
favorites+\favorites\dating\*** personals.url
favorites+\favorites\dating\single girls.url
favorites+\favorites\dating\xxx chat.url
favorites+\favorites\domain names.url
favorites+\favorites\finance.url
favorites+\favorites\games.url
favorites+\favorites\humor.url
favorites+\favorites\money\banks.url
favorites+\favorites\money\business.url
favorites+\favorites\money\credit cards.url
favorites+\favorites\money\debt consolidation.url
favorites+\favorites\money\finance.url
favorites+\favorites\money\home mortgage.url
favorites+\favorites\money\investing.url
favorites+\favorites\money\job search.url
favorites+\favorites\money\loan.url
favorites+\favorites\money\money.url
favorites+\favorites\money\mutual funds.url
favorites+\favorites\money\personal finance.url
favorites+\favorites\money\stocks.url
favorites+\favorites\money\trading.url
favorites+\favorites\movies.url
favorites+\favorites\music and movies\artists.url
favorites+\favorites\music and movies\dvd players.url
favorites+\favorites\music and movies\instrumental music.url
favorites+\favorites\music and movies\lyrics.url
favorites+\favorites\music and movies\melody to mobile.url
favorites+\favorites\music and movies\midi.url
favorites+\favorites\music and movies\movies.url
favorites+\favorites\music and movies\mp3 players.url
favorites+\favorites\music and movies\mp3.url
favorites+\favorites\music and movies\music albums.url
favorites+\favorites\music and movies\music charts.url
favorites+\favorites\music and movies\music.url
favorites+\favorites\music and movies\radio.url
favorites+\favorites\music and movies\soundtracks.url
favorites+\favorites\music and movies\top10 mp3.url
favorites+\favorites\music and movies\video.url
favorites+\favorites\online pharmacy.url
favorites+\favorites\*** personals.url
favorites+\favorites\sports.url
favorites+\favorites\spyware remover.url
favorites+\favorites\viagra.url
favorites+\favorites\weather.url
favorites+\favorites\web hosting.url
favorites+\gambling\baccarat.url
favorites+\gambling\betting.url
favorites+\gambling\bingo.url
favorites+\gambling\blackjack.url
favorites+\gambling\caribbean pirate poker.url
favorites+\gambling\casino.url
favorites+\gambling\gambling.url
favorites+\gambling\horse racing.url
favorites+\gambling\online casino.url
favorites+\gambling\online gambling.url
favorites+\gambling\poker.url
favorites+\gambling\roulette.url
favorites+\gambling\slot machines.url
favorites+\gambling\sport betting.url
favorites+\gambling\sportsbooks.url
favorites+\gambling\video poker.url
favorites+\pharmacy\carisoprodol.url
favorites+\pharmacy\celebrex.url
favorites+\pharmacy\cialis.url
favorites+\pharmacy\crestor.url
favorites+\pharmacy\levitra.url
favorites+\pharmacy\lipitor.url
favorites+\pharmacy\neurontin.url
favorites+\pharmacy\online pharmacy.url
favorites+\pharmacy\paxil.url
favorites+\pharmacy\phentermine.url
favorites+\pharmacy\tramadol.url
favorites+\pharmacy\water phentermine.url
favorites+\pharmacy\xanax.url
favorites+\pharmacy\zocor.url
favorites+\pharmacy\zoloft.url
favorites+\shopping\battery.url
favorites+\shopping\bed.url
favorites+\shopping\cars.url
favorites+\shopping\cds.url
favorites+\shopping\cigarettes.url
favorites+\shopping\cigars.url
favorites+\shopping\contact lens.url
favorites+\shopping\diamonds.url
favorites+\shopping\gift shopping\boss gift.url
favorites+\shopping\gift shopping\candles.url
favorites+\shopping\gift shopping\flowers.url
favorites+\shopping\gift shopping\gift clock.url
favorites+\shopping\gift shopping\gift shopping.url
favorites+\shopping\gift shopping\golf.url
favorites+\shopping\gift shopping\perfume.url
favorites+\shopping\gift shopping\sportswear.url
favorites+\shopping\gift shopping\wholesale.url
favorites+\shopping\gift shopping\wine.url
favorites+\shopping\gifts.url
favorites+\shopping\jewelry.url
favorites+\shopping\knife.url
favorites+\shopping\label.url
favorites+\shopping\notebooks.url
favorites+\shopping\office supplies.url
favorites+\shopping\promotional products.url
favorites+\shopping\shades.url
favorites+\software\cheats and trainers.url
favorites+\software\cracks and serials.url
favorites+\software\crackspider.url
favorites+\software\find cracks.url
favorites+\software\full downloads.url
favorites+\software\spyware remover.url
favorites+\travel\adventure travel.url
favorites+\travel\air travel.url
favorites+\travel\business travel.url
favorites+\travel\discount travel.url
favorites+\travel\food.url
favorites+\travel\hawaii travel.url
favorites+\travel\lodging.url
favorites+\travel\london travel.url
favorites+\travel\travel agent.url
favorites+\travel\travel insurance.url
favorites+\travel\travel package.url
favorites+\travel\travel reservation.url
favorites+\travel\travel spain.url
favorites+\travel\travel web site.url
favorites+\travel\vacation cruises.url
favorites+\travel\vacations.url
hosts
iasad.dll
importme.lnk
mega_super_puper_reg.txt
peek.txt
pesteditor.exe-1466f12f.pf
profilepath+\recent\aze search.lnk
rundll32.exe-271239c3.pf
systemroot+\downloaded program files\azesearch.inf
systemroot+\system32\adult.ico
systemroot+\system32\azesearch.bmp
systemroot+\system32\azesearch.ocx
systemroot+\system32\azesearch.xml
systemroot+\system32\azesearch2.ocx
systemroot+\system32\azesearch2.xml
systemroot+\system32\azesearch3.ocx
systemroot+\system32\casino.ico
systemroot+\system32\iasadm.dll
systemroot+\system32\shopping.ico
systemroot+\system32\spywareremoval.ico
toolbar screen shot.bmp.lnk
un.exe
uninstall11.exe
unv2.exe
wiadebug.log.lnk
windows.lnk
.

Remove Directories:
(Instruction)

Remove these directories (if present) with Windows Explorer:

favorites+\adult
favorites+\gambling

Aze Search Toolbar modifies the hosts and hijacks Domains to other IP addresses:
(more Information)

eTrust Spyware Encyclopedia: Copy of the Original Article, made by Ruby for the Users of HijackThis.de

Download the hosts.zip
Unzip it in a "temp" folder and place it in the appropriate installed location.
Follow the instructions.

If you don't have a zip-tool we suggest zipgenius (It is free).

Restore Settings:

After following the instructions above, you will still need to restore your original settings and prevent this from happening again.
Take a new startpage for the IE and configure it with these Settings.

Download Advice for Free Tools
to clean your system after having followed these advices above:

CleanUp
ClearProg
Crap Cleaner
Disk Cleaner
IE Privacy Keeper 2.3

Ad-Aware SE
Spybot Search & Destroy
Bazooka™
EliteToolbar Remover

IE-Spyad and IE-Spyad-Tutorial
SpywareBlaster and SpywareBlaster-Tutorial

RegistryProt

-> Use an alternative browser: Mozilla, Firefox, Opera.

[Ruby]

Adware.Istbar

Last Updated on: May 28, 2005 03:51:53 PM
Type: Adware
Name: ISTsvc.exe
Publisher: Integrated Search Technologies/CDT Inc
Systems Affected: Windows 2000, 95, 98, Me, NT, Windows Server 2003, XP
Risk Impact: High

File names: ISTsvc.exe; IstBar_DH.dll; ysbactivex.dll; sfbho.dll;
sfexd001; sidefind.dll; istrecover[1].exe; istbar.dll; ysb.dll; istbarcm.dll;
ISTactivex.dll; istdownload.exe; sidefind.exe; sfsetup.exe; sfbho.dll;
ysb(2).dll; cmctl.dll; istbarcm.dll; juhpad.exe; ysbactivex(3).dll;
ysb_regular[1].cab; gjefpet.exe

To edit your Registry manually:

Symantec security response

(You may use Registrar Lite)

To clean up your System manually:

End running tasks, remove files and folders,
you will have to use Windows Taskmanager or the Process Explorer.
You will have to unregister DLLs and to use Windows Explorer:

spyware-removal-guideline.com

Still need some help:

eTrust

Removal-Program:

Bazooka™

Bazooka Adware and Spyware Scanner detects ISTBar.
So when you are able to work with Bazooka™, try it.

[Ruby]

Adware SurfSideKick

SurfSideKick and SurfSideKick 3

Different ways to get rid off....
SideKickFix by LonnyRJones

Great @ LonnyRJones
Copy of Shadow_Puter_Dude on Major Geeks.com:

Load down the Brute Force Uninstaller
of Merijn (author of Hijackthis).
(Other mirrors: SpywareInfo, ComputerCops, MajorGeeks)
(If you need it: ZipGenius is free)

• Right-click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk ( C: )" or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE (http://downloads.subratam.org/Lon/sidekickFix.bat) and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix by LonnyRJones.

Save it in the same folder you made earlier (C:\BFU).

Close ALL open windows & explorer folder's, then double-click on sidekickFix.bat. Click YES and follow the prompts, when prompted to restart the PC please do so.

Now run ccleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.
Reboot to Normal Mode.
Post a fresh HijackThis log.

Source

Different ways to get rid off....

SurfSideKick

In a Hijackthislog we can see:
R3 - URLSearchHook: (no name) - {000AB005-FF12-42C2-8DF5-39E12E5F9C91} - C:\Program Files\SurfSideKick\SskBho.dll

O4 - HKLM\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick] C:\Program Files\SurfSideKick\Ssk.exe

How can we remove it:
Controlpanel > Software > Add/Remove Programs
Uninstall SurfSideKick.

Fixe all entries in a HijackThis Logfile

Remove the directory: C:\Program Files\SurfSideKick

Use this Reg, to clean up the registry:
REGEDIT4

[-HKEY_CURRENT_USER\Software\SurfSideKick]

[-HKEY_CLASSES_ROOT\CLSID\{000AB005-FF12-42C2-8DF5-39E12E5F9C91}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\Surf Sidekick_is1]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\SurfSideKick]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{000AB005-FF12-42C2-8DF5-39E12E5F9C91}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run\SurfSideKick]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{000AB005-FF12-42C2-8DF5-39E12E5F9C91}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Translated into English from Marckie's Spyware for HijackThis.eu

======================

SurfSideKick 3

In a Hijackthislog we can see:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs303169569.dll

How can we remove it:
Controlpanel > Software > Add/Remove Programs
Uninstall SurfSideKick 3

Fix all entries in a HijackThis Logfile

Remove this directory: C:\Program Files\SurfSideKick 3

Use the surfsidekick3.reg (surfsidekick3.zip), to clean up your registry:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02EE5B04-F144-47BB-83FB-A60BD91B74A9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\SurfSideKick]

[-HKEY_LOCAL_MACHINE\Software\SurfSideKick3]

[-HKEY_CURRENT_USER\Software\SurfSideKick3]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks]
"{02EE5B04-F144-47BB-83FB-A60BD91B74A9}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{02EE5B04-F144-47BB-83FB-A60BD91B74A9}"=-


With many thanks to Marckie

Do you need a zip-tool: Winzip.


Need more information to clean up SurfSideKick 3
(Choice 2)

Load down the Uninstall Cleaner 1.0 or Starter,
uninstall SurfSideKick 3
Locate it and uninstall it.

Can't fix SurfSideKick 3? Let's choose an other way:
-> ask us.

Load down the surfsidekick3.zip; unzip it to your desktop.
Doubleclick onto surfsidekick3.reg
follow the prompts and type in YES / ok as you get a question if it may be launched by the registry.

Make sure you set windows to see the hidden files and folders.

Shut down all applications and your Internet Explorer.
Reboot your computer in Safe Mode
Run Hijackthis,
click scan and put an icon next to these entries.
Press the Fix Button:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs303169578.dll

Press the Fix Button.
Exit HijackThis.

Delete these files
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\%windir%\%system%\repairs303169578.dll

Delete this directory
C:\Program Files\SurfSideKick 3

Reboot to Normal Mode.

Note:
%windir%, %system% are Variables (?).
By default it is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Windows XP and ME:
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn System Restore Back On.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK

[Ruby]

AdWare.Look2Me

In a HijackThis Logfile we can see:
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\***0000*0.dll
(***0000*0 is the random part.)

for example:
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\irr0l59m1.dll

Please download Look2Me-Destroyer.exe to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

MSWINSCK.OCX

Lots of Thanks to Atribune

[Ruby]

Trojan Vundo/Adware Virtumondo (TR/Vundo.Gen)

In a HijackThis Log we can see

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\*****.dll
O20 - Winlogon Notify: ***** - C:\WINDOWS\system32\*****.dll
(***** is the random part.)

For example:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll

You can't find these entries in your HijackThis log, but your Antivirus has told you that you have the TR/Vundo.Gen on your system? Please use the filelist.zip. You may therefore want to read and follow Karl83's instructions.

Directory of C:\WINDOWS\system32

C:\WINDOWS\system32\yyxyb.ini
C:\WINDOWS\system32\yyxyb.bak1
C:\WINDOWS\system32\yyxyb.bak2
C:\WINDOWS\system32\yyxyb.ini2
C:\WINDOWS\system32\yyxyb.tmp

(yyxyb is the random part.)

Running the VundoFix you will have a similar logfile (C:\vundofix.txt) to this one:

VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 10:37:37 24.08.2006

Listing files found while scanning....

C:\WINDOWS\system32\byxyy.dll
C:\WINDOWS\system32\yyxyb.ini
C:\WINDOWS\system32\yyxyb.bak1
C:\WINDOWS\system32\yyxyb.bak2
C:\WINDOWS\system32\yyxyb.ini2
C:\WINDOWS\system32\yyxyb.tmp
C:\WINDOWS\system32\anbxhvqa.exe
C:\WINDOWS\system32\fejtdbyv.exe
C:\WINDOWS\system32\hyjtiwou.exe
C:\WINDOWS\system32\jjscdgdx.exe
C:\WINDOWS\system32\kmlvbtnk.exe
C:\WINDOWS\system32\pamnguyt.exe
C:\WINDOWS\system32\rawyxqbi.exe
C:\WINDOWS\system32\rvsogqpj.exe
C:\WINDOWS\system32\sxqncdnn.exe
C:\WINDOWS\system32\vkrqelyt.exe
C:\WINDOWS\system32\whyrnhxw.exe
C:\WINDOWS\system32\wsggavru.exe
C:\WINDOWS\system32\ygqbqyaw.exe
C:\WINDOWS\system32\ynwribdq.exe
C:\WINDOWS\system32\ypuvtrlw.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxyy.dll
C:\WINDOWS\system32\byxyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyxyb.ini
C:\WINDOWS\system32\yyxyb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyxyb.bak1
C:\WINDOWS\system32\yyxyb.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyxyb.bak2
C:\WINDOWS\system32\yyxyb.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyxyb.ini2
C:\WINDOWS\system32\yyxyb.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyxyb.tmp
C:\WINDOWS\system32\yyxyb.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\anbxhvqa.exe
C:\WINDOWS\system32\anbxhvqa.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fejtdbyv.exe
C:\WINDOWS\system32\fejtdbyv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hyjtiwou.exe
C:\WINDOWS\system32\hyjtiwou.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjscdgdx.exe
C:\WINDOWS\system32\jjscdgdx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kmlvbtnk.exe
C:\WINDOWS\system32\kmlvbtnk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pamnguyt.exe
C:\WINDOWS\system32\pamnguyt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rawyxqbi.exe
C:\WINDOWS\system32\rawyxqbi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rvsogqpj.exe
C:\WINDOWS\system32\rvsogqpj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\sxqncdnn.exe
C:\WINDOWS\system32\sxqncdnn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vkrqelyt.exe
C:\WINDOWS\system32\vkrqelyt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\whyrnhxw.exe
C:\WINDOWS\system32\whyrnhxw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wsggavru.exe
C:\WINDOWS\system32\wsggavru.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ygqbqyaw.exe
C:\WINDOWS\system32\ygqbqyaw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ynwribdq.exe
C:\WINDOWS\system32\ynwribdq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ypuvtrlw.exe
C:\WINDOWS\system32\ypuvtrlw.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 10:47:25 24.08.2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 12:58:17 27.08.2006

Listing files found while scanning....

Note: May be you run an other operation system: C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000) or C:\Windows\System32 (Windows XP).

How can we remove this malware ?

• Please download VundoFix.exe to your desktop.

  

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from

• "Click the Scan for Vundo button." when VundoFix appears at reboot.

Many Thanks to @ Atribune

Now we can fix possibly entries in our HijackThis Log using HijackThis.

Windows XP and ME:
Turn off System Restore.
Right-click My Computer > Click Properties > Click the System Restore tab.
Check Turn off System Restore > Click Apply, and then click OK > Reboot.
Turn System Restore Back On.
Right-click My Computer > Click Properties > Click the System Restore tab >
UN-Check *Turn off System Restore* > Click Apply, and then click OK