Zestyfind popups

Discussion in 'adware, spyware & hijack cleaning' started by almondwine, May 24, 2004.

Thread Status:
Not open for further replies.
  1. almondwine

    almondwine Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    I am experiencing a number of problems with popup full-screen windows that I cannot seem to get rid of. They open a new browser window and direct it to zestyfind.com, download.popularscreensavers.com, and several others. They also ask to accept certificates from random publishers such as Fun Web, Inc. I have ran the newest versions of Adaware, Spybot, and HijackThis. I have not found anything that works as of yet.

    Note - Zestyfind is NOT commandeering my homepage, nor are any of the registry keys that Symantec's website says are indicative of Zestygind present in my registry. Zestyfind's trademark file, msg117.dll, is also absent. Nevertheless, Zestyfind.com is the most common webpage to pop up in randomly occurring new browser windows.

    Thank for for your help.

    My Hijackthis log is as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:58:08 AM, on 5/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINNT\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\WINNT\System32\notepad.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginia.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.20\lexbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
    O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083706832235
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/28982639f9cf96b28705/netzip/RdxIE601.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37834.024537037
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi almondwine,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in. These would now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O4 - Startup: PowerReg Scheduler.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/28982639f9cf96b28705/netzip/RdxIE601.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    Then reboot.

    msg117.dll has long been replaced by random variants.
    Download:
    http://download.broadbandmedic.com/VbStuff/VX2Finder.exe

    Click on the *Click to find VX2 files* button and post the contents please along with a fresh HijackThis scan.

    Regards,

    Pieter
     
  3. almondwine

    almondwine Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    Thanks for the help. The first time I rebooted after fixing the selected items, I got an error message saying that the system had recovered from a 'serious error' and sent the error log to Redmond. I rebooted again with the same browser windows and programs open, and nothing happened.

    Also, the VX2 link you have is bad. I had to go to the main page and follow the appropriate links - it appears that they've moved the download site into a cgi-bin server.

    Thanks again for your help.

    The new Hijackthis log is as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:03:16 PM, on 5/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\ZestyFind\VX2Finder.exe
    C:\Documents and Settings\Administrator\Desktop\ZestyFind\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginia.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.20\lexbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
    O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083706832235
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37834.024537037
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
    O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab

    The VX2 finder log is as follows:

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINNT\System32\6ao4svc.dll
    C:\WINNT\System32\6bo4svc.dll
    C:\WINNT\System32\6eo4svc.dll
    C:\WINNT\System32\6go4svc.dll
    C:\WINNT\System32\6io4svc.dll
    C:\WINNT\System32\6jo4svc.dll
    C:\WINNT\System32\6ko4svc.dll
    C:\WINNT\System32\6mo4svc.dll
    C:\WINNT\System32\6oo4svc.dll
    C:\WINNT\System32\6ro4svc.dll
    C:\WINNT\System32\6so4svc.dll
    C:\WINNT\System32\6uo4svc.dll
    C:\WINNT\System32\6vo4svc.dll
    C:\WINNT\System32\6wo4svc.dll
    C:\WINNT\System32\6xo4svc.dll
    C:\WINNT\System32\6yo4svc.dll
    C:\WINNT\System32\afctres.dll
    C:\WINNT\System32\ailui.dll
    C:\WINNT\System32\aotiveds.dll
    C:\WINNT\System32\araamon.dll
    C:\WINNT\System32\asledit.dll
    C:\WINNT\System32\avlui.dll
    C:\WINNT\System32\axctres.dll


    Guardian Key--- is called: GuardianYNGRN
    Asynchronous 000
    DllName C:\WINNT\system32\asledit.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {8FD0AC68-BAC0-4580-81DD-7BF5496E1A51}
    IDex DS3

    User Agent String---
    {8FD0AC68-BAC0-4580-81DD-7BF5496E1A51}
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi almondwine,

    Better print this and stay off the net until all files are deleted (after the second reboot)

    Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit > ok and in the Registry Editor navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianYNGRN

    (Note : the five letters in caps at the end may have changed [YNGRN ] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here.

    Regards and good luck,

    Pieter
     
  5. almondwine

    almondwine Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    OK I was able to delete all of the files but one, C:\WINNT\System32\asledit.dll. VX2FINDER opens a dialogue box saying only "Can't Delete This One." I tried to open the GAURDIAN(X) key and turn open up all the permissions, but that didn't work. I tried deleting the gaurdian key and then deleting asledit.dll, but that didn't work. Finally, I tried deleting the GAURDIAN(X) key and rebooting, but not having deleted asledit.dll, the key was back in the registry when I rebooted. Naturally, all this was done while offline. It seems that I can't delete all the files and can't proceed to the User Agent$ stage without having deleted all the files.

    EDIT: I tried deleting the file through the command prompt and also through the explorer, and was told it was in use by a process. I ended all the user-initiated processes and met the same result. I can only assume it's working under the aegis of a system process that I can't end.

    I've posted the most recent log below:

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINNT\System32\asledit.dll


    Guardian Key--- is called: GuardianASOLY
    Asynchronous 000
    DllName C:\WINNT\system32\asledit.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {8FD0AC68-BAC0-4580-81DD-7BF5496E1A51}
    IDex DS3

    User Agent String---
    {8FD0AC68-BAC0-4580-81DD-7BF5496E1A51}

    EDIT: I tried deleting the file through the command prompt and also through the explorer, and was told it was in use by a process. I ended all the user-initiated processes and met the same result. I can only assume it's working under the aegis of a system process that I can't end.
     
    Last edited: May 24, 2004
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Please try this.

    Stop as many programs as possible while offline

    Start a Command Prompt.

    Use CD .. until you are at C:\
    then type these commands (followed by ENTER)
    cd windows
    cd system32

    Then bring up taskmanager and end all instances of explorer.exe
    Then in the command prompt again
    del asledit.dll
    After confirmation:
    explorer.exe

    Then try and remove the Guardian key and see if it is permanent this time.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.