0

Hi DMR i have posted the logs below. The safemode one being the 1st. Something i found quite interesting was when i turned on my computer i double clicked the SpyHealFix.reg added it to the registry(like i did before) then scaned with ewido. This found no trace of the infection but when i rebooted and re scaned the same old virus was there yet again. Is there somewhere else i should store the reg fix???


ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 09:55:09 18/08/2006
+ Scan result:

HKLM\SYSTEM\ControlSet006\Services\HTTP -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters\SslBindingInfo -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters\UrlAclInfo -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Security -> Adware.SpyHeal : Cleaned.

::Report end

ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:51:56 18/08/2006
+ Scan result:

HKLM\SYSTEM\ControlSet006\Services\HTTP -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters\SslBindingInfo -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters\UrlAclInfo -> Adware.SpyHeal : Cleaned.
HKLM\SYSTEM\ControlSet006\Services\HTTP\Security -> Adware.SpyHeal : Cleaned.

::Report end

0

What you're describing is what I've thought was happening: something is restoring the unwanted registry entries when you reboot. What you're doing is correct, we're just not seeing whatever is responsible for restoring the entries. I thought it might be the System Restore feature, which is why I had you disable it. I'll have to ask some of the other malware gurus if they've got any suggestions...

0

Sorry again for the delay in my response; school started this week, so it's been a little hectic.

1. Please open a blank new text document in Windows Notepad and copy and paste the lines in bold below (and only the lines in bold) into the document:

reg query HKEY_LOCAL_MACHINE\SYSTEM >>"%userprofile%"\desktop\RegQuery.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\Select >>"%userprofile%"\desktop\RegQuery.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP >>"%userprofile%"\desktop\RegQuery.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters >>"%userprofile%"\desktop\RegQuery.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters\SslBindingInfo >>"%userprofile%"\desktop\RegQuery.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters\UrlAclInfo >>"%userprofile%"\desktop\RegQuery.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Security >>"%userprofile%"\desktop\RegQuery.txt

Name the file SpyHealRegQuery.bat and save the file to your desktop.


2. Double-click on SpyHealRegQuery.bat to run it.
Not much will happen, although you may see a DOS window flick up on your screen very briefly.

When the file is finished running, a new file named RegQuery.txt will appear on your desktop. Double-click on RegQuery.txt to open it in Notepad, select the entire contents of the file, and paste those contents into you next post here.

0

Hi DMR heres the report as requested:

! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006
HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKEY_LOCAL_MACHINE\SYSTEM\Select
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\WPA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\Select
Current REG_DWORD 0x5
Default REG_DWORD 0x5
Failed REG_DWORD 0x3
LastKnownGood REG_DWORD 0x6
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP
DisplayName REG_SZ HTTP
Description REG_SZ This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start.
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ System32\Drivers\HTTP.sys
Start REG_DWORD 0x3
Type REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Security
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters\SslBindingInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters\UrlAclInfo
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters\SslBindingInfo
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Parameters\UrlAclInfo
http://*:2869/ REG_BINARY 010004800000000000000000000000001400000002001C00010000000000140000000020010100000000000513000000
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\HTTP\Security
Security REG_BINARY 01001480B8000000C4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020088000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD0102000102000000000005200000002302000000001400140000000101000000000005040000000000140014000000010100000000000506000000010100000000000512000000010100000000000512000000

0

Hi DMR have we any idea how to sort out my internet connection or do we have to clean the system 1st?

0

Let's kill the SpyHeal entries first. Please do the following:

* Download SpyHealRegRemove.zip and save it to your desktop or another convenient folder.

* Right-click on the file and choose "Extract All..." from the drop-down menu.

* Follow the file-extraction wizards prompts to unzip the SpyHealRegRemove.bat script file.

* Double-click on SpyHealRegRemove.bat and follow the prompts to run the script. Your computer will automatically reboot when the script completes.

* Once the computer has rebooted, run ewido again, and post the new log.

0

Thanks DMR for your help its much appreciated. Il try that this evening.

0

I think its fair to say you are a genius DMR as the Adware.spyheal appears to be no more:D . I scanned twice(rebooting twice also before scanning) and it seems my system is clean and rid of this horrible infection. Thanks for your help DMR here is the report below:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 17:01:42 25/08/2006
+ Scan result:

Nothing found.

::Report end

Thanks again DMR hopefully you can help me sort my internet connection??

P.S. Is it ok to put system restore back on DMR?

0

I think its fair to say you are a genius DMR as the Adware.spyheal appears to be no more:D .

lol. I don't know about the "genius" part, but I'm glad I was able to help. Good work on your part as well- this went a bit "above and beyond" the usual spyware cleaning procedures. :)

As for the network problem, let's start with the baseline stuff. Please post as many details on the problem as possible: problem history, exact symptoms (error messages, browser behaviours, etc.), details of any troubleshooting steps you've tried so far, and any other info that might be helpful.

0

lol. I don't know about the "genius" part, but I'm glad I was able to help. Good work on your part as well- this went a bit "above and beyond" the usual spyware cleaning procedures. :)

As for the network problem, let's start with the baseline stuff. Please post as many details on the problem as possible: problem history, exact symptoms (error messages, browser behaviours, etc.), details of any troubleshooting steps you've tried so far, and any other info that might be helpful.

We nearly hit a googlewack DMR with Adaware.spyheal i take my hat of to you man:D .

Main problem DMR is "network adapter error" when i try to re-install the CD(before that "page cannot be found"). Does this make sense to you mate?

0

Main problem DMR is "network adapter error" when i try to re-install the CD(before that "page cannot be found"). Does this make sense to you mate?

Yeah; I think so. Do the following:

* Right-click on the My Computer icon on your desktop and choose Properties from the resulting context menu.
* In the Properties window, click on the Hardware tab.
* In the Hardware tab, click on the Device Manager button.
* Under the Network Adapters heading, note the exact name of your network device. Also note whether or not it is marked with a Red "X" or a Yellow exclamation point. Post that info in your next reply.
* Double-click on that device entry and post the information listed in the General tab of the device's Properties window.
* In addition to the above information, please attach two lovely Glaswegian wenches.

0

Hi DMR i clicked device manager then network adapter,the sub heading is as follows; Intel(R)PRO/100 Network Connection.

There is a yellow exclamation mark beside VAXSCSI Controller. Im not sure if this is relevent?

P.S. two lovely-ish Glasgow wenches en route on one of Glasgows finest rubber dingy`s!! Should be with you in about 3 weeks.

0

P.S. two lovely-ish Glasgow wenches en route on one of Glasgows finest rubber dingy`s!! Should be with you in about 3 weeks.

Hmm... the "3 weeks" part I can deal with, but the "ish" bit in "lovely-ish" has me a bit worried.... :mrgreen:

There is a yellow exclamation mark beside VAXSCSI Controller. Im not sure if this is relevent?

That will be a different issue, but double-click on the SCSI controller's entry to bring up its Properties window and note the information listed in the "Device Status" section of the General properties tab.

For that matter, do the same for the Intel(R)PRO/100 Network Connection entry. The Device Status should say: "This device is working properly"; If it says something else, post that info.

More baseline info gathering:

* Click on the "Run..." option in your Start menu.
* In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window.
* At the DOS prompt, type the following command and then hit Enter. You won't see any result from the command, but when it completes, a second prompt with a flashing cursor will be displayed; close the DOS box once that happens:
ipconfig /all >"%userprofile%"\desktop\ipconfig.txt

The above command will have created a text file on you desktop named ipconfig.txt; double-click on the file to open it in Notepad, and then cut-n-paste the file's contents in your next post here. The contents of the file will give us some important details of your IP configuration.

0

Hi DMR when i click on properties on VAXSCSI Controller the message reads: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. Code(39).
It then asks me to troubleshoot but i have tried this to no avail.

Intel(R)PRO/100 Network Connection is working properly DMR.

IPconfig txt is below:

Windows IP Configuration

Host Name . . . . . . . . . . . . : Chopper
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-12-3F-B0-36-2B

Thanks DMR.

0

Hi DMR when i click on properties on VAXSCSI Controller the message reads: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. Code(39).
It then asks me to troubleshoot but i have tried this to no avail.

Intel(R)PRO/100 Network Connection is working properly DMR.

IPconfig txt is below:

Windows IP Configuration

Host Name . . . . . . . . . . . . : Chopper
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-12-3F-B0-36-2B

Thanks DMR.

Incidently DMR i use a usb cable to connect to my cable modem and not ethernet,again not sure if this info is relevant

0

Hi DMR hows it going? Any ideas on how to get back online again?

0

Hmmm.... is it possible to connect the computer and modem via an Ethernet cable? That's usually a more reliable connection overall, and it would be easier to troubleshoot as well, given our long-distance relationship. :mrgreen:

Also- please post the make & model # of the modem.

0

Hi DMR thanks for replying. Yes it is possible to connect with the ethernet. Its a cable modem from NTL model number ; E08C007

0

* Turn off the computer and modem.
* Unplug the USB cable.
* Connect the two with an Ethernet cable.
* Turn the modem on and wait until it goes through its power-up initialization routine.
* Turn on the computer; wait until all of your startup programs, etc. have fully loaded up.
* perform the following steps again:

* Click on the "Run..." option in your Start menu.
* In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window.
* At the DOS prompt, type the following command and then hit Enter. You won't see any result from the command, but when it completes, a second prompt with a flashing cursor will be displayed; close the DOS box once that happens:
ipconfig /all >"%userprofile%"\desktop\ipconfig.txt

The above command will have created a text file on you desktop named ipconfig.txt; double-click on the file to open it in Notepad, and then cut-n-paste the file's contents in your next post here. The contents of the file will give us some important details of your IP configuration.

0

Thanks DMR il do as you requested and post the results this evening.

0

Hi DMR here is the log as requested;

Windows IP Configuration

Host Name . . . . . . . . . . . . : Chopper
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-12-3F-B0-36-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 62.252.128.22

0

We're partially there- 62.252.128.22 is the address of an NTL DHCP server, but the server doesn't appear to have assigned you any IP configuration info (addresss, mask, gateway IP). I'm not familiar with the way NTL does things, but you may have to use their setup software in order to validate yourself as a registered customer. Try running the NTL install CD again now that you at least seem to have a working network connection.

0

Hi DMR thanks again for replying i have tried to reinstall the NTL cd but i keep getting "network adapter error" message

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.