solutionclass.pws, remove with Spybot S&D but keeps coming b

View previous topic View next topic Go down

Solved solutionclass.pws, remove with Spybot S&D but keeps coming back!

Post by alimmanji on Fri Dec 26, 2008 9:46 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:14 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Kv4tlkG8.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Mx1vnmI5.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {eb23bae1-30c1-485a-9e53-3ff2268f3620} - C:\WINDOWS\system32\duhofele.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\goyinoro.dll c:\windows\system32\wanulago.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wanulago.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

--
End of file - 6235 bytes

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Uninstall List

Post by alimmanji on Fri Dec 26, 2008 9:50 pm

µTorrent
3ivx MPEG-4 5.0.1 Decoder (remove only)
7-Zip 4.32
Ad-Aware SE Professional
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Media Player
Adobe Media Player
Adobe Reader 7.0.7
Apple Software Update
Azureus
Better Homes and Gardens Home Designer Suite 6.0
Canon i550
Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA1
Compatibility Pack for the 2007 Office system
GnuWin32: CoreUtils version 5.3.0
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Magic ISO Maker v5.0 (build 0166)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Resource Kit
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
muvee Plugin 1.0
Nero 6 Enterprise Edition
NVIDIA Drivers
O&O Defrag Professional Edition
Pdf995
PENTAX USB DISK Device
Picasa 3
PowerDVD
QuickTime
QuickTime Alternative 1.68
Real Alternative 1.47
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype 3.1
Skype Plugin Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB951072-v2)
WebEx
Windows Internet Explorer 7
WinRAR archiver
WinZip 10 Pro

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Fri Dec 26, 2008 10:09 pm

Hello.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    Active: Switches Monitoring On or Off without closing
    Automatic: Switches Automatic Blocking On or Off
3. Uncheck (red X) both items.


  • Now open HijackThis
  • Choose "Open the Misc Tools section"
  • Press the "Open process manager"
  • Highlight this process line:

    C:\WINDOWS\system32\Kv4tlkG8.exe

  • Press "Kill Process"
  • Press "Yes" to the prompt.
  • Now press the "Main Menu" button
  • This time, choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [You must be registered and logged in to see this link.]
    O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Mx1vnmI5.dll
    O2 - BHO: (no name) - {eb23bae1-30c1-485a-9e53-3ff2268f3620} - C:\WINDOWS\system32\duhofele.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\goyinoro.dll c:\windows\system32\wanulago.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wanulago.dll


  • Press "Fix Checked"
  • Close Hijack This.


Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Fri Dec 26, 2008 11:05 pm

I get the following error box when attempting to kill the Kv4tlkG8 process:

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Fri Dec 26, 2008 11:07 pm

Okay, skip the process killing.
Just do the HJT fix, then run MBAM.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Fri Dec 26, 2008 11:38 pm

I didn't remove the proxy, I need it for work.

Malwarebytes' Anti-Malware 1.31
Database version: 1551
Windows 5.1.2600 Service Pack 2

12/26/2008 3:37:10 PM
mbam-log-2008-12-26 (15-37-10).txt

Scan type: Quick Scan
Objects scanned: 76820
Time elapsed: 15 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 7
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\system32\Kv4tlkG8.exe (Trojan.Clicker) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\goyinoro.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kunologa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vusilina.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\duhofele.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wanulago.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\Mx1vnmI5.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\henebevi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eb23bae1-30c1-485a-9e53-3ff2268f3620} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eb23bae1-30c1-485a-9e53-3ff2268f3620} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{eb23bae1-30c1-485a-9e53-3ff2268f3620} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmeb451a58 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lifilamopi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\goyinoro.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\goyinoro.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\goyinoro.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wanulago.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wanulago.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\wanulago.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vusilina.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\duhofele.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\goyinoro.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kunologa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\Mx1vnmI5.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Kv4tlkG8.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\henebevi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wakepule.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dokajihe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\Mx1vnmI5.dl_ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jigefuwi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Kv4tlkG8.exe_ (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Kv4tlkG8.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\o31I3J7H.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Fri Dec 26, 2008 11:42 pm

Hello.
Did you reboot after the scan?


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved ComboFix log

Post by alimmanji on Sat Dec 27, 2008 5:38 am

ComboFix 08-12-26.03 - Administrator 2008-12-26 21:33:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.586 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-26 15:14 . 2008-12-26 15:14 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 15:14 . 2008-12-26 15:14 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 15:14 . 2008-12-26 15:14 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-26 15:14 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 15:14 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 18:42 . 2008-12-21 18:42 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-21 18:42 . 2008-12-21 18:42 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-21 18:42 . 2008-12-21 18:42 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-21 18:42 . 2008-12-21 18:42 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-21 11:24 . 2008-12-21 11:24 31,744 --a------ c:\windows\system32\o31I3J7H.exe
2008-12-03 19:12 . 2008-12-03 19:49 d-------- c:\program files\Boilsoft MOV Converter
2008-12-03 13:00 . 2008-12-03 13:00 d-------- c:\windows\system32\IOSUBSYS
2008-11-29 20:06 . 2008-05-01 06:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 05:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-12-26 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 06:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2008-12-22 03:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 21:00 --------- d-----w c:\program files\Google
2008-11-25 02:02 --------- d-----w c:\program files\Azureus
2008-11-21 20:37 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-17 19:09 --------- d-----w c:\program files\iXi Tools
2008-11-05 17:10 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-11-05 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2008-10-28 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-08-11 17:33 60,744 ----a-w c:\documents and settings\Administrator\g2mdlhlpx.exe
2008-04-28 17:36 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-04-28 17:36 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-08 20:09 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-04-28 17:36 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-09-26 06:19 69,632 --sha-w c:\windows\system32\bizijeju.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-02-18 6144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-12-31 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2006-09-08 12:29 24686 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2006-09-08 2234320]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2006-09-08 36464]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2006-09-08 109232]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2006-09-08 671472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1b8915-c400-11dc-a4f3-0015f25a1f76}]
\Shell\AutoRun\command - g:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - g:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\At1.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At10.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At11.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At12.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At13.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At14.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At15.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At16.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-27 c:\windows\Tasks\At17.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-27 c:\windows\Tasks\At18.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-27 c:\windows\Tasks\At19.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At2.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-27 c:\windows\Tasks\At20.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At21.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At22.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At23.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At24.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At25.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At26.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At27.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At28.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At29.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At3.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At30.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At31.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At32.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At33.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At34.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At35.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At36.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At37.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At38.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At39.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At4.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At40.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-27 c:\windows\Tasks\At41.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-27 c:\windows\Tasks\At42.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-27 c:\windows\Tasks\At43.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-27 c:\windows\Tasks\At44.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At45.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At46.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At47.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At48.job
- c:\windows\system32\Kv4tlkG8.exe []

2008-12-26 c:\windows\Tasks\At5.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At6.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At7.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At8.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-26 c:\windows\Tasks\At9.job
- c:\windows\system32\o31I3J7H.exe [2008-12-21 11:24]

2008-12-27 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-19 18:58]

2007-04-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-26 21:34:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-26 21:35:31
ComboFix-quarantined-files.txt 2008-12-27 05:35:08

Pre-Run: 5,650,284,544 bytes free
Post-Run: 6,222,262,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

251 --- E O F --- 2008-12-02 06:47:39

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Sat Dec 27, 2008 1:29 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\windows\system32\o31I3J7H.exe
    c:\windows\system32\Kv4tlkG8.exe
    c:\windows\Tasks\At*.job

    :reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1b8915-c400-11dc-a4f3-0015f25a1f76}]

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Sat Dec 27, 2008 6:42 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\system32\o31I3J7H.exe moved successfully.
c:\windows\system32\Kv4tlkG8.exe moved successfully.
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1b8915-c400-11dc-a4f3-0015f25a1f76}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_QgO8r9KTaNvLA6FeAm43 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12272008_091156

Files moved on Reboot...
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_QgO8r9KTaNvLA6FeAm43 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\XUL.mfl moved successfully.

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Sat Dec 27, 2008 6:44 pm

Hello.
Please delete these folders in bold:
C:\Qoobox
C:\_OTMoveIt

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Sat Dec 27, 2008 7:06 pm

deleted the two directories

solutionclass.pws still shows up in spybot

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Sat Dec 27, 2008 7:07 pm

Do you know where is it finding it?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Sat Dec 27, 2008 7:11 pm

This is what it says in SpyBot

SolutionClass.pws: [SBI $ADC1DB9D] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}

SolutionClass.pws: [SBI $395AA27E] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}

SolutionClass.pws: [SBI $2AEDE623] Class ID (Registry value, nothing done)
HKEY_CLASSES_ROOT\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\InprocServer32\=...C:\WINDOWS\system32\Mx1vnmI5.dll...

Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Sat Dec 27, 2008 7:14 pm

Hello.
We'll use OTMoveIt again.


  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\windows\system32\o31I3J7H.exe
    C:\WINDOWS\system32\Mx1vnmI5.dll

    :reg
    [-HKEY_CLASSES_ROOT\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Sat Dec 27, 2008 7:18 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\windows\system32\o31I3J7H.exe not found.
C:\WINDOWS\system32\Mx1vnmI5.dll unregistered successfully.
C:\WINDOWS\system32\Mx1vnmI5.dll moved successfully.
========== REGISTRY ==========
Registry key HKEY_CLASSES_ROOT\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_zbkncuRTgV9RE4LeJuw0 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12272008_111553

Files moved on Reboot...
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_zbkncuRTgV9RE4LeJuw0 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\5aup41wq.default\urlclassifier3.sqlite moved successfully.

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Sat Dec 27, 2008 7:21 pm

Hello.
Does Spybot still find it now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by alimmanji on Mon Dec 29, 2008 4:44 am

confirmed, spybot no longer finds solutionclass.pws

Thank you!!

alimmanji
Novice
Novice

Status :
Online
Offline

Posts Posts : 10
Joined Joined : 2008-12-26
OS OS : Windows XP Pro

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Belahzur on Mon Dec 29, 2008 1:05 pm

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: solutionclass.pws, remove with Spybot S&D but keeps coming b

Post by Doctor Inferno on Sat Feb 14, 2009 3:57 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum