Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Hijackthis can't remove registry entries

This is a discussion on Hijackthis can't remove registry entries within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi, I've 2 computers that seem to be affected with the same virus(s). I've tried to remove what I think


 
 
Thread Tools Search this Thread
Old 01-10-2007, 11:08 PM   #1
Guest
 
Join Date: Jan 2007
Posts: 3
OS:



Hi,

I've 2 computers that seem to be affected with the same virus(s). I've tried to remove what I think the offending entries are in hijackthis but as soon as I click repair the hijackthis window goes blank, then when another scan is done the entries are back.

I've also tried deleting the entry through the registry, then when I refresh the screen it's back again!!

Tried in safe mode, same problem. Can anyone help?

Logfile of HijackThis v1.99.1
Scan saved at 5:02:53 PM, on 11/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\spoolsv.exe
C:\Program Files\CanoBureau Workgroup\Program\BtrKernel.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CanoBureau Workgroup\Program\W32MKDE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Winnt\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Winnt\system32\stisvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\svchost.exe
C:\Program Files\CanoBureau Workgroup\Program\Tsscdl.exe
C:\Winnt\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Winnt\system32\igfxtray.exe
C:\Winnt\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Winnt\system32\adirss.exe
C:\Winnt\system32\clcbt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Winnt\inet20126\mmx962.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Winnt\system32\taskmgr.exe
C:\Documents and Settings\administrator.NEEDHAM\Desktop\Hijackthis\HijackThis1991.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Winnt\system32\msiexec.exe
C:\WINNT\system32\mstsc.exe
C:\WINNT\system32\mstsc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://go.compaq.com/1Q00CDT/0409/bl8.asp
F3 - REG:win.ini: run=C:\Winnt\inet20126\winlogon.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Winnt\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\Winnt\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Winnt\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [sysinter] C:\Winnt\system32\adirss.exe
O4 - HKLM\..\Run: [clcbt.exe] C:\Winnt\system32\clcbt.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [xp_system] C:\Winnt\inet20126\winlogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = needham.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = needham.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = needham.local
O20 - Winlogon Notify: igfxcui - C:\Winnt\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\Winnt\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: CanoBureau Access Service - Unknown owner - C:\Program Files\CanoBureau Workgroup\Program\BtrKernel.exe
O23 - Service: CanoBureau Text Search Scheduler - Unknown owner - C:\Program Files\CanoBureau Workgroup\Program\Tsscdl.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\Winnt\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\emma\Local Settings\Temp\ieupdate.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
circuit is offline  
Sponsored Links
Advertisement
 
Old 01-11-2007, 06:04 AM   #2
Guest
 
Join Date: Jan 2007
Posts: 3
OS:


Can't seem to edit post.

Updated detail. Whenever the PC is restarted Trend antivirus reports about 8 viruses found. I don't have access to the PC so will update virus details as soon as I do.

My other thread (for another PC with same problem) - https://www.techsupportforum.com/secu...fected-pc.html
circuit is offline  
Old 01-12-2007, 10:07 PM   #3
Guest
 
Join Date: May 2006
Posts: 2,506
OS:


Hello circuit, welcome to TSF and thanks for your patience. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Download CleanUp!
Download and install CleanUp! but do not run it yet. (alternate link if main link isn't working: https://www.greyknight17.com/spy/CleanUp.exe)

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.


Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware.
  1. Load AVG Anti-Spyware and then click the Shield tab at the top
    • Click on the word active to change it to inactive.
  2. Click the Update tab at the top:
    • Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
    • Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
  3. Click the Scanner tab at the top and then the Settings sub-tab:
    • Under How to act?, click Recommended actions and select Quarantine.
    • Under Reports, select Automatically generate report after every scan
  4. Close AVG Anti-Spyware. Do not run a scan with it yet.

Download SmitfraudFix
Please download SmitfraudFix (by S!Ri) and save it to your Desktop, but do not do anything else with it yet.


Disable Service
Click Start>Run - type SERVICES.MSC and then click on the OK button.
  1. Locate the service - Microsoft IE Updater
  2. Stop the service by using the Stop button.
  3. Change the Startup Type to Disabled and click the OK button.
  4. Start HiJackThis and go to Config... -> Misc.Tools -> Delete an NT service.
  5. In the popup box that appears, type in ieupdater.
  6. Click the OK button and answer No if prompted to reboot.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):
F3 - REG:win.ini: run=C:\Winnt\inet20126\winlogon.exe
O4 - HKLM\..\Run: [sysinter] C:\Winnt\system32\adirss.exe
O4 - HKLM\..\Run: [clcbt.exe] C:\Winnt\system32\clcbt.exe
O4 - HKCU\..\Run: [xp_system] C:\Winnt\inet20126\winlogon.exe
O20 - Winlogon Notify: rpcc - C:\Winnt\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.


Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Winnt\inet20126
C:\Winnt\system32\adirss.exe
C:\Winnt\system32\clcbt.exe

Run SmitfraudFix
Double-click smitfraudfix.exe file to start the tool.
  1. Select option #2 - Clean by typing 2 and pressing Enter.
  2. Wait for the tool to complete and disk cleanup to finish.
  3. You will be prompted: " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and pressing Enter.
  4. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users
    • Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
    Click OK.
  • Press the CleanUp! button to start the program.
Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.


Fix Desktop
Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Run AVG Anti-Spyware
  • Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
  • If Set all elements to is not set to Quarantine (1), please click Recommended Action and choose Quarantine from the popup menu (2).
  • At the bottom of the window, click on the Apply all actions button (3).
  • When it has finished, click the Save Scan Report button (4), then click Save Report As and save the report it to your desktop.
  • Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.


Re-run SmitfraudFix
Double-click SmitfraudFix.exe. Select option #3 - Delete Trusted zone by typing 3 and pressing Enter.

NOTE: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.


Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded, click on NEXT.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database: extended
    • Scan Options: Scan Archives and Scan Mail Bases
  • Click OK
  • Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
  • Now under select a target to scan, select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run all the way.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button and save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.


With Your Next Post...
Please paste the following with your next reply (in this order please):
  1. The content of C:\rapport.txt,
  2. AVG Anti-Spyware scan report,
  3. Kaspersky scan report,
  4. a new HiJackThis log taken after Kaspersky finishes.
Deckard is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:24 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts