G
Guest
Hello all, I'm at the end of my wits. I thought I'd give MWAS a spin and see
how it went. It seemed to quite handily find and remove 10 items. However,
after rebooting as instructed, I get the "Windows Explorer has encountered a
problem and needs to close. We are sorry for the inconvenience.",
It appears every 15 or so seconds. I can still access the internet,
everything seems to be working, but I get Dr. Watson every 15 seconds or so,
my system hangs for about 20 seeconds and then closes all the windows, except
for Internet Explorer (which is why I am able to write this).
This ONLY started happening after using MWAS. I even tried repairing Windows
today to no avail. Below I have listed the Scan Log. Perhaps something was
deleted that shouldn't have been?
Incidentally, here is the info from the error report:
AppName: explorer.exe AppVer: 6.0.2900.2180 ModName: unknown
ModVer: 0.0.0.0 Offset: 00000000
Helpfull, huh?
Please, oh please help me? To make matter worse, it appears I had system
restore off... it was off from the last time I tried to remove a malicious
piece of spyware
and forgot to turn it back on.
Thank you in advance,
Damian
Spyware Scan Details
Start Date: 11/4/2005 1:14:38 PM
End Date: 11/4/2005 1:17:17 PM
Total Time: 2 mins 39 secs
Detected Threats
MediaTickets CDT Spyware more information...
Details: Mediatickets is a spyware program that displays advertisements,
reduces the security settings for the Trusted Sites zone in Internet
Explorer, and attempts to fraudulently install trusted publishers.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
ppcimdnnnjbeahepfabjipfginloedkg egckak
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
goicfboogidikkejccmclpieicihhlpo bihgbp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
goicfboogidikkejccmclpieicihhlpo ejemdn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/MediaTicketsInstaller.ocx .Owner
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/MediaTicketsInstaller.ocx
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
IE Trusted Zone Hijack Spyware more information...
Details: IE Trusted Zone Hijack is a spyware related Web site that is added
to your Internet Explorer Trusted Zones.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\skoobidoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\windupdates.com
Trojan.Thun Trojan more information...
Details: Trojan.Downloader.Thun disables the Windows Firewall and changes
the computer security settings to download and allow other malicious software.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\Documents and Settings\Damian\Local Settings\Temp\pi.sys
C:\WINDOWS\system32\thn.dll
C:\WINDOWS\system32\thn32.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0656A137-B161-CADD-9777-E37A75727E78}
Trojan.vxgame Trojan more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\system\svchost.exe
Trojan.Abwiz.B Trojan more information...
Details: Trojan.Abwiz.B is a backdoor Trojan that allows the remote attacker
to perform various malicious actions on the compromised computer.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\WINDOWS\system32\~update.exe
C:\WINDOWS\system32\latest.exe
C:\WINDOWS\system32\win32.exe
PdPinch Password Stealer more information...
Details: Searches for passwords from various products and emails them to a
preconfigured email address.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
c:\windows\sys243.exe
c:\windows\sys244.exe
c:\windows\sys245.exe
Hijacker.Allstar Browser Modifier more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\Documents and Settings\Damian\Local Settings\Temp\go.exe
C:\Documents and Settings\Damian\Local Settings\Temp\pps.exe
C:\WINDOWS\system32\rch.dll
C:\WINDOWS\system32\rch32.dll
C:\WINDOWS\system32\rdrlib.dll
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 C:\WINDOWS\System32\rch.dll
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {03B1C4D9-BC71-8916-38AD-9DEA5D213614}
Trojan.Downloader.dls Trojan Downloader more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\WINDOWS\system32\bre.dll
C:\WINDOWS\system32\bre32.dll
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 C:\WINDOWS\System32\bre.dll
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {203B1C4D9-BC71-8916-38AD-9DEA5D213614}
Trojan.Downloader.msole32 Trojan Downloader more information...
Details: Trojan.Downloader.msole32 attempts to download several files, many
of which are installers for various products such as antivirus-gold,
spysheriff and spywareno.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run winlogon.exe
Popuper Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.
Infected files detected
C:\WINDOWS\popuper.exe
Detected Spyware Cookies
No spyware cookies were found during this scan.
how it went. It seemed to quite handily find and remove 10 items. However,
after rebooting as instructed, I get the "Windows Explorer has encountered a
problem and needs to close. We are sorry for the inconvenience.",
It appears every 15 or so seconds. I can still access the internet,
everything seems to be working, but I get Dr. Watson every 15 seconds or so,
my system hangs for about 20 seeconds and then closes all the windows, except
for Internet Explorer (which is why I am able to write this).
This ONLY started happening after using MWAS. I even tried repairing Windows
today to no avail. Below I have listed the Scan Log. Perhaps something was
deleted that shouldn't have been?
Incidentally, here is the info from the error report:
AppName: explorer.exe AppVer: 6.0.2900.2180 ModName: unknown
ModVer: 0.0.0.0 Offset: 00000000
Helpfull, huh?
Please, oh please help me? To make matter worse, it appears I had system
restore off... it was off from the last time I tried to remove a malicious
piece of spyware
and forgot to turn it back on.
Thank you in advance,
Damian
Spyware Scan Details
Start Date: 11/4/2005 1:14:38 PM
End Date: 11/4/2005 1:17:17 PM
Total Time: 2 mins 39 secs
Detected Threats
MediaTickets CDT Spyware more information...
Details: Mediatickets is a spyware program that displays advertisements,
reduces the security settings for the Trusted Sites zone in Internet
Explorer, and attempts to fraudulently install trusted publishers.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
ppcimdnnnjbeahepfabjipfginloedkg egckak
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
goicfboogidikkejccmclpieicihhlpo bihgbp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
goicfboogidikkejccmclpieicihhlpo ejemdn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/MediaTicketsInstaller.ocx .Owner
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/MediaTicketsInstaller.ocx
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
IE Trusted Zone Hijack Spyware more information...
Details: IE Trusted Zone Hijack is a spyware related Web site that is added
to your Internet Explorer Trusted Zones.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\skoobidoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\windupdates.com
Trojan.Thun Trojan more information...
Details: Trojan.Downloader.Thun disables the Windows Firewall and changes
the computer security settings to download and allow other malicious software.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\Documents and Settings\Damian\Local Settings\Temp\pi.sys
C:\WINDOWS\system32\thn.dll
C:\WINDOWS\system32\thn32.dll
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0656A137-B161-CADD-9777-E37A75727E78}
Trojan.vxgame Trojan more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\system\svchost.exe
Trojan.Abwiz.B Trojan more information...
Details: Trojan.Abwiz.B is a backdoor Trojan that allows the remote attacker
to perform various malicious actions on the compromised computer.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\WINDOWS\system32\~update.exe
C:\WINDOWS\system32\latest.exe
C:\WINDOWS\system32\win32.exe
PdPinch Password Stealer more information...
Details: Searches for passwords from various products and emails them to a
preconfigured email address.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
c:\windows\sys243.exe
c:\windows\sys244.exe
c:\windows\sys245.exe
Hijacker.Allstar Browser Modifier more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\Documents and Settings\Damian\Local Settings\Temp\go.exe
C:\Documents and Settings\Damian\Local Settings\Temp\pps.exe
C:\WINDOWS\system32\rch.dll
C:\WINDOWS\system32\rch32.dll
C:\WINDOWS\system32\rdrlib.dll
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 C:\WINDOWS\System32\rch.dll
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {03B1C4D9-BC71-8916-38AD-9DEA5D213614}
Trojan.Downloader.dls Trojan Downloader more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected files detected
C:\WINDOWS\system32\bre.dll
C:\WINDOWS\system32\bre32.dll
Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 C:\WINDOWS\System32\bre.dll
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {203B1C4D9-BC71-8916-38AD-9DEA5D213614}
Trojan.Downloader.msole32 Trojan Downloader more information...
Details: Trojan.Downloader.msole32 attempts to download several files, many
of which are installers for various products such as antivirus-gold,
spysheriff and spywareno.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run winlogon.exe
Popuper Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.
Infected files detected
C:\WINDOWS\popuper.exe
Detected Spyware Cookies
No spyware cookies were found during this scan.
Microsoft Antispyware has