|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-19-2005, 07:48 AM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Please help with HJT log - Spybot/LSA problem
Hi,
I would appreciate any help with clearing the LSA problem being reported by Spybot S&D. Spybot is unable to fix this problem. It suggested rebooting the PC and running it at startup, but even that did not clear it. I have gone through the spybot/lsa thread here, and my problem is the same as reported in it: http://www.techsupportforum.com/comp...c/72003-1.html I have gone through the sticky notes and have tried to follow the suggestions mentioned there. 1. I have run AVG Free Edition and Trendmicro online AV scan but these did not find anything. 2. I have scanned with TMAS and it fixed some problems but it did not report the LSA problem reported by Spybot. (Is this strange?) 3. I have run HJT and the KRC HJTLog analyzer. I am including the output of the KRC HJTLog analyzer. Please let me know if I am missing something. Any help would be really appreciated. Thanks to all the volunteer community for helping us all. ---------- I have Windows XP with SP1. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Tiny Personal Firewall\persfw.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:42:57 AM, on 11/19/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\Program Files\McAfee\Managed VirusScan\Agent\UpdDlg.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{440CC0EC-2741-4E5F-80B3-E2603084D3A5}: NameServer = 202.144.105.4,202.144.10.50 O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.624.dll O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe End of KRC HijackThis Analyzer Log. ==================================================================== Last edited by dhammaguest; 11-19-2005 at 07:53 AM. Reason: Spelling correction and for providing more details |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-19-2005, 05:33 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,977
OS: WinXP and Vista
|
Hello dhammaguest,
Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip and unzip it to it's own folder. Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. --------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Run a scan in HijackThis. Check each of the following if they still exist: Note: Make sure all other windows/browsers are closed. O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Click 'Fix Checked' and close HijackThis. --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Note: [b][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp![b] From Normal Mode: Run Startdreck and configure it as follows: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread along with a new HijackThis log and the log from SilentRunners. |
|
|
|
|
11-21-2005, 11:36 AM
|
#4 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Here are the logs
Hello Ried,
here are the 3 logs that you wanted me to post here. Thanks 1.Silent Runners log "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."] "VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."] "McAfee Managed Services Tray" = ""C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"" ["McAfee, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS] "MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"] {65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."] {FFFFFEF0-5B30-21D4-945D-000000000000}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\STARDO~1\SDIEInt.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data] "{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"] "{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"] "{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eraser\erasext.dll" ["-"] "{29e3fb5b-cf62-45b5-b8bf-1ad500385fc7}" = "Shell Context Menu Handler for Application References" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS] "{29e3fb5b-cf62-45b5-b8bf-1ad500385fc6}" = "Shell Context Menu Handler for Application Manifests" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS] "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eraser\erasext.dll" ["-"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eraser\erasext.dll" ["-"] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ HIJACK WARNING! "HomePage"=dword:00000001 [disables the Home page field in Internet Options|General (tab)] {User Configuration|Administrative Templates|Windows Components| Internet Explorer|Disable changing home page settings} Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\general1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS] Startup items in "general1" & "All Users" startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ "ButtonText" = "Yahoo! Services" "CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"] {6224F700-CBA3-4071-B251-47CB894244CD}\ "ButtonText" = "ICQ Pro" "MenuText" = "ICQ" "Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ "ButtonText" = "eBay - Homepage" "CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS] "Exec" = "C:\Program Files\IrfanView\Ebay\Ebay.htm" [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ASP.NET Admin Service, aspnet_admin, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe" [MS] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] McAfee Managed Services Agent, myAgtSvc, "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe /ServiceStart" ["McAfee, Inc."] McShield, McShield, "C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe" ["Network Associates, Inc."] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"] Tiny Personal Firewall, PersFw, "C:\Program Files\Tiny Personal Firewall\persfw.exe" ["Tiny Software"] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt12\Driver = "hpzsnt12.dll" ["HP"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 151 seconds, including 17 seconds for message boxes) ================= 2. New HJT log "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."] "VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."] "McAfee Managed Services Tray" = ""C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"" ["McAfee, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS] "MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"] {65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."] {FFFFFEF0-5B30-21D4-945D-000000000000}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\STARDO~1\SDIEInt.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data] "{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"] "{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"] "{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eraser\erasext.dll" ["-"] "{29e3fb5b-cf62-45b5-b8bf-1ad500385fc7}" = "Shell Context Menu Handler for Application References" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS] "{29e3fb5b-cf62-45b5-b8bf-1ad500385fc6}" = "Shell Context Menu Handler for Application Manifests" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS] "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eraser\erasext.dll" ["-"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eraser\erasext.dll" ["-"] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ HIJACK WARNING! "HomePage"=dword:00000001 [disables the Home page field in Internet Options|General (tab)] {User Configuration|Administrative Templates|Windows Components| Internet Explorer|Disable changing home page settings} Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\general1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS] Startup items in "general1" & "All Users" startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ "ButtonText" = "Yahoo! Services" "CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"] {6224F700-CBA3-4071-B251-47CB894244CD}\ "ButtonText" = "ICQ Pro" "MenuText" = "ICQ" "Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ "ButtonText" = "eBay - Homepage" "CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS] "Exec" = "C:\Program Files\IrfanView\Ebay\Ebay.htm" [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ASP.NET Admin Service, aspnet_admin, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe" [MS] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] McAfee Managed Services Agent, myAgtSvc, "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe /ServiceStart" ["McAfee, Inc."] McShield, McShield, "C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe" ["Network Associates, Inc."] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"] Tiny Personal Firewall, PersFw, "C:\Program Files\Tiny Personal Firewall\persfw.exe" ["Tiny Software"] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt12\Driver = "hpzsnt12.dll" ["HP"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 151 seconds, including 17 seconds for message boxes) ================== 3. StartDreck log StartDreck (build 2.1.7 public stable) - 2005-11-21 @ 23:58:06 (GMT +05:30) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as general1 at HOME »Registry »Run Keys »Current User »Run *ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe *Skype="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized »RunOnce »Default User »Run *AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE »RunOnce »Local Machine »Run *AlcxMonitor=ALCXMNTR.EXE *VTTimer=VTTimer.exe *SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe *McAfee Managed Services Tray="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime *IMJPMIG8.1="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 *MSPY2002=C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC *AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP *AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.html *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile="C:\Program Files\JGsoft\EditPadLite\EditPad.exe" "%1" +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll *YUber.UberButton.1/{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} `InprocServer32=C:\Program Files\Yahoo!\Common\yiesrvc.dll *YIeTagBm.YahooTaggedBM.1/{65D886A2-7CA7-479B-BB95-14D1EFB7946A} `InprocServer32=C:\Program Files\Yahoo!\Common\YIeTagBm.dll *{FFFFFEF0-5B30-21D4-945D-000000000000} `InprocServer32=C:\PROGRA~1\STARDO~1\SDIEInt.dll »Internet Explorer »Current User *Local Page=C:\WINDOWS\System32\blank.htm *Search Bar=http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html *Search Page=http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com *Start Page=http://www.yahoo.com +SearchUrl *provider=yaho *=http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com »Default User »Local Machine *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Local Page=%SystemRoot%\system32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=Explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\general1\Start Menu\Programs\Startup\desktop.ini »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=Explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect *C:\msdos.sys *C:\config.sys *C:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\autoexec.bat *C:\WINDOWS\System32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 *C:\WINDOWS\wininit.ini `[rename] `NUL=C:\DOCUME~1\general1\LOCALS~1\Temp\pbu1.tmp *C:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\System32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\System32\notepad.exe *C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\System32\taskman.exe *C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\System32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +680=\SystemRoot\System32\smss.exe +744=\??\C:\WINDOWS\system32\csrss.exe +768=\??\C:\WINDOWS\system32\winlogon.exe +812=C:\WINDOWS\system32\services.exe +824=C:\WINDOWS\system32\lsass.exe +1004=C:\WINDOWS\system32\svchost.exe +1096=C:\WINDOWS\System32\svchost.exe +1148=C:\WINDOWS\System32\svchost.exe +1180=C:\WINDOWS\System32\svchost.exe +1232=C:\WINDOWS\system32\spoolsv.exe +1836=C:\WINDOWS\System32\alg.exe +1864=C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe +1964=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe +2008=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe +184=C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe +224=C:\Program Files\Tiny Personal Firewall\persfw.exe +252=C:\WINDOWS\System32\HPZipm12.exe +316=C:\WINDOWS\System32\svchost.exe +352=C:\WINDOWS\System32\MsPMSPSv.exe +1444=C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe +2668=C:\WINDOWS\Explorer.EXE +3372=C:\WINDOWS\ALCXMNTR.EXE +2184=C:\WINDOWS\System32\VTTimer.exe +2860=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe +2056=C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe +2484=C:\Program Files\QuickTime\qttask.exe +2924=C:\Program Files\Sify Broadband\BBClient.exe +2556=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe +2332=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe +2360=C:\Program Files\Common Files\Real\Update_OB\realsched.exe +3064=C:\WINDOWS\System32\ctfmon.exe +3344=C:\Program Files\Trend Micro\Tmas\Tmas.exe +3468=C:\Program Files\Sify Broadband\BBImpSec.exe +1716=C:\Downloads\Security\AntiSpyware\StartDreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User ====================== |
|
|
|
|
11-24-2005, 01:28 PM
|
#5 (permalink) |
|
Analyst, Security Team
|
I remember fixing this up for another user (I think). Run Spybot again. Save that log and post it here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
11-26-2005, 11:47 PM
|
#6 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Latest spybot log
Thanks Greyknight17. Here is the latest log from spybot.
--- Report generated: 2005-11-26 00:32 --- LSA: Settings (Registry key, nothing done) HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa LSA: Settings (Registry key, nothing done) HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa --- Spybot - Search && Destroy version: 1.3 --- 2005-11-11 Includes\Cookies.sbi 2005-11-11 Includes\Dialer.sbi 2005-11-11 Includes\Hijackers.sbi 2005-11-11 Includes\Keyloggers.sbi 2004-11-29 Includes\LSP.sbi 2005-11-11 Includes\Malware.sbi 2005-11-11 Includes\PUPS.sbi 2005-11-11 Includes\Revision.sbi 2005-11-11 Includes\Security.sbi 2005-11-11 Includes\Spybots.sbi 2005-02-17 Includes\Tracks.uti 2005-11-11 Includes\Trojans.sbi |
|
|
|
|
11-27-2005, 07:39 PM
|
#7 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,977
OS: WinXP and Vista
|
Hello dhammaguest,
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: regedit /e c:\1.txt "HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa" regedit /e c:\2.txt "HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa" copy c:\1.txt+c:\2.txt c:\3.txt del c:\1.txt del c:\2.txt notepad c:\3.txt del c:\3.txt exit Save the file as "delete.bat" . Make sure to save it with the quotes. Double click on it to run it. Notepad will open up. Please post the contents of Notepad here. |
|
|
|
|
12-14-2005, 03:55 AM
|
#8 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Hello Ried,
I apologize for not getting back earlier. I have been out of station and just returned. I have run the delete.bat as mentioned above and here are the contents of the notepad when it opened up. Windows Registry Editor Version 5.00 [HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa] "MSN"="msnmsgs.exe" Thanks |
|
|
|
|
12-14-2005, 08:05 PM
|
#9 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,977
OS: WinXP and Vista
|
Hello,
Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED [HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa] "MSN"="msnmsgs.exe" If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Now navigate to the following file and open it with wordpad C:\WINDOWS\wininit.ini Locate the following entry in the file and delete it: `NUL=C:\DOCUME~1\general1\LOCALS~1\Temp\pbu1.tmp Go to START>>RUN> and COPY AND PASTE the bold line into the open field and then Click OK regedit /e C:\findit.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa" Copy and paste back the contents of C:\findit.txt |
|
|
|
|
12-15-2005, 06:35 AM
|
#10 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Hello Ried,
I did the above steps. The file c:\findit.txt is 60,008KB though! I wonder if I have done something wrong. While executing the last step you mentioned, I did this inadvertently: - i copied only this line in 'start..run' filed regedit /e C:\findit.txt Nothing seemed to happen and then I realized my mistake and then copy-pasted the entire line as below: regedit /e C:\findit.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa" I have not posted the contents because it is too huge. In particular, the following entry itself is over several thousand lines long. [HKEY_USERS\S-1-5-21-117609710-1303643608-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage] "StartMenu_Start_Time"=hex:74,70,91,8c,8c,2c,c5,01 "FavoritesResolve"=hex:00,00,00,00,00,00,00,00 "Favorites"=hex:00,16,00,00,00,14,00,1f,80,f4,a1,59,25,d7,21,d4,11,bd,af,00,c0,\ 4f,60,b9,f0,00,00,00,16,00,00,00,14,00,1f,80,f5,a1,59,25,d7,21,d4,11,bd,af,\ 00,c0,4f,60,b9,f0,00,00,ff "FavoritesChanges"=dword:00000001 "ProgramsCache"=hex:09,00,00,00,0b,00,02,00,00,00,00,00,01,f2,00,00,00,f0,00,\ 32,00,0b,03,00,00,ac,32,2d,9c,20,00,4c,41,55,4e,43,48,7e,31,2e,4c,4e,4b,00,\ ... ... Thanks |
|
|
|
|
12-15-2005, 08:21 AM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,977
OS: WinXP and Vista
|
 It took your first command and is listing the entire registry. Let's try it this way:Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: @echo off if exist c:\findit.txt del c:\findit.txt regedit /e findit.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" findit.txt exit Save the file as "lsa.bat". Make sure to save it with the quotes. Double click on it to run it. Notepad will open up. Please post the contents of Notepad here. |
|
|
|
|
12-15-2005, 08:50 AM
|
#12 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Hello Ried,
sorry about the mistake. I have executed the bat file as mentioned above and here are the contents. Thanks -- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\ 00 "Bounds"=hex:00,30,00,00,00,20,00,00 "Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\ 00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\ 6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\ 00 "LsaPid"=dword:00000338 "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000000 "disabledomaincreds"=dword:00000000 "everyoneincludesanonymous"=dword:00000000 "fipsalgorithmpolicy"=dword:00000000 "forceguest"=dword:00000001 "fullprivilegeauditing"=hex:00 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000000 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000000 "restrictanonymous"=dword:00000001 "restrictanonymoussam"=dword:00000001 "Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00 "MSN"="msnmsgs.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders] "ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\ 54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\ 00,69,00,64,00,65,00,72,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data] "Pattern"=hex:d5,62,c7,d1,d2,53,0f,98,84,5f,43,dc,78,9d,32,d6,31,63,62,65,32,\ 35,37,34,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\ 5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,08,46,2c,a4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG] "GrafBlumGroup"=hex:2e,5b,f1,53,a1,28,3b,ee,bb [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD] "Lookup"=hex:fd,16,7d,8f,3d,2f [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "Auth132"="IISSUBA" "ntlmminclientsec"=dword:00000000 "ntlmminserversec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1] "SkewMatrix"=hex:6f,58,63,f3,66,ac,f8,c6,62,49,c8,72,96,4a,fa,d0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache] "Time"=hex:64,6b,f8,9f,c2,2c,c5,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" "Capabilities"=dword:00004050 "RpcId"=dword:0000ffff "Version"=dword:00000001 "TokenSize"=dword:0000ffff "Time"=hex:00,cd,02,d0,ca,4e,c2,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000011 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,e0,58,14,88,2b,c1,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000012 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,35,8c,d9,ca,4e,c2,01 "Type"=dword:00000031 |
|
|
|
|
12-15-2005, 09:00 AM
|
#13 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,977
OS: WinXP and Vista
|
Ok, let's get that last one.
Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "MSN"="msnmsgs.exe" If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. That should do it. Does Spybot still pick it up? |
|
|
|
|
12-16-2005, 04:04 AM
|
#14 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Hello Ried,
thanks for your help. I deleted the entry mentioned above and ran Spybot, but it still picks it up. Here is what I see in Spybot's - Tools .. view report. --- Search result list --- LSA: Settings (Registry key, nothing done) HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa LSA: Settings (Registry key, nothing done) HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa --- Spybot - Search && Destroy version: 1.3 --- 2005-11-11 Includes\Cookies.sbi 2005-11-11 Includes\Dialer.sbi 2005-11-11 Includes\Hijackers.sbi 2005-11-11 Includes\Keyloggers.sbi 2004-11-29 Includes\LSP.sbi 2005-11-11 Includes\Malware.sbi 2005-11-11 Includes\PUPS.sbi 2005-11-11 Includes\Revision.sbi 2005-11-11 Includes\Security.sbi 2005-11-11 Includes\Spybots.sbi 2005-02-17 Includes\Tracks.uti 2005-11-11 Includes\Trojans.sbi --- System information --- Windows XP (Build: 2600) Service Pack 1 / Windows XP / SP2: Windows XP Hotfix - KB822603 --- Startup entries list --- Located: HK_LM:Run, AlcxMonitor command: ALCXMNTR.EXE file: C:\WINDOWS\ALCXMNTR.EXE size: 50176 MD5: 2f0a3b80096ac30a3e300cce44cdb5dc Located: HK_LM:Run, AVG7_CC command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (deleted the rest of the log) Last edited by dhammaguest; 12-16-2005 at 04:07 AM. |
|
|
|
|
12-16-2005, 07:26 PM
|
#15 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
DH,
Please navigate to each of these keys one at a time... HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa Make sure the Lsa folder is highlighted click on file>>> export. Save the the first file as lsa.reg and the second as lsa1.reg to your desktop. Now 'Right Click' each file and rename them to lsa.txt and lsa1.txt. Then post both those txt files. Something is being missed in the translation of those entrys. *Note* Please update your version of Spybot as 1.4 is the latest.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 12-16-2005 at 07:33 PM. |
|
|
|
|
12-16-2005, 09:58 PM
|
#16 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
MB,
thanks for your note. I have upgraded Spybot to 1.4. Here are the contents of lsa.txt and lsa1.txt LSA.TXT Windows Registry Editor Version 5.00 [HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa] LSA1.TXT Windows Registry Editor Version 5.00 [HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa] Thanks |
|
|
|
|
12-17-2005, 12:46 AM
|
#17 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
DH,
When you highlighted the LSA key..there are no entrys in the right pane? If thats so...repeat the process again...but highlight the SYSTEM folder... HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa I also want to see if CCleaner will clean this key.... Download and install CCleaner..http://www.ccleaner.com/ccdownload.asp 1. Open the program and the "Cleaner" button should be active. 2. Click on "Run Cleaner" 3. Once thats done it will clean out the TEMP folder. 4. Now click on "Issues" and then "Scan for Issues" 5. Once it's done checkmark ALL it finds and click "Fix Selected Issues" 6. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back. Close the program. Let me know if spybot still detects it.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 12-17-2005 at 12:51 AM. |
|
|
|
|
12-17-2005, 11:21 AM
|
#18 (permalink) | |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Quote:
The only entry in the right panel was like this: Name Type Value (ab) (Default) REG_SZ (value not set) Here is what I see when I repeat the process with SYSTEM highlighted: Windows Registry Editor Version 5.00 [HKEY_USERS\S-1-5-18\SYSTEM] [HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet] [HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control] [HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa] And the other file has: Windows Registry Editor Version 5.00 [HKEY_USERS\.DEFAULT\SYSTEM] [HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet] [HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control] [HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa] I will carry out the other steps suggested by you (running cclean) a bit later. Thanks |
|
|
|
|
|
12-17-2005, 11:56 AM
|
#19 (permalink) | |
|
Registered User
Join Date: Nov 2005
Posts: 76
OS: Windows XP Pro SP2
|
Ran ccleaner - still seeing LSA in Spybot
Quote:
I carried out the above steps with the latest ccleaner. Spybot still detects it. I have looked at how the entries look under regedit, and they look the same as what I have posted in the preceding post above, so I have not reposted it here. Thanks for trying. |
|
|
|
|
|
12-17-2005, 03:07 PM
|
#20 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Ok..one more step before I take those entrys out...
Download VBS Search http://www.billsway.com/vbspage/ Run the program and put this in the search box...msnmsgs.exe Post any keys it finds that entry in.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
| Thread Tools | |
|
|
