Main Menu

Editing the registry.

Started by Jared Katooie, 05 May, 2007, 09:40:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jared Katooie

05 May, 2007, 09:40:35 PM
After visiting a site I probably shouldn't have and downloading a file I definitely shouldn't have I've managed to infest my PC with spyware.

It's trying to install that bloody WinAntiVirus Pro 2006.

Both Spybot and AdAware have failed to completely remove the viruses but Hijackthis has identified potential problems in the registry. I'm a bit nervous about messing around there though. Could anyone offer a little guidance?

Here's the logfile from Hijackthis:

R1 - HKCU[backslash]Software[backslash]Microsoft[backslash]Internet Explorer[backslash]Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU[backslash]Software[backslash]Microsoft[backslash]Internet Explorer[backslash]Main,Start Page = http://www.thehungersite.com/cgi-bin/WebObjects/CTDSites
R1 - HKLM[backslash]Software[backslash]Microsoft[backslash]Internet Explorer[backslash]Main,Default_Page_URL = http://home.iol.ie
R0 - HKLM[backslash]Software[backslash]Microsoft[backslash]Internet Explorer[backslash]Main,Start Page = http://home.iol.ie
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:[backslash]Program Files[backslash]Norton Internet Security[backslash]Norton AntiVirus[backslash]NavShExt.dll
O4 - HKLM[backslash]..[backslash]Run: [SunJavaUpdateSched] C:[backslash]Program Files[backslash]Java[backslash]jre1.5.0[backslash]bin[backslash]jusched.exe
O4 - HKLM[backslash]..[backslash]Run: [hpsysdrv] c:[backslash]windows[backslash]system[backslash]hpsysdrv.exe
O4 - HKLM[backslash]..[backslash]Run: [NvCplDaemon] RUNDLL32.EXE C:[backslash]WINDOWS[backslash]system32[backslash]NvCpl.dll,NvStartup
O4 - HKLM[backslash]..[backslash]Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM[backslash]..[backslash]Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM[backslash]..[backslash]Run: [KBD] C:[backslash]HP[backslash]KBD[backslash]KBD.EXE
O4 - HKLM[backslash]..[backslash]Run: [TkBellExe] "C:[backslash]Program Files[backslash]Common Files[backslash]Real[backslash]Update_OB[backslash]realsched.exe"  -osboot
O4 - HKLM[backslash]..[backslash]Run: [iTunesHelper] C:[backslash]Program Files[backslash]iTunes[backslash]iTunesHelper.exe
O4 - HKLM[backslash]..[backslash]Run: [Recguard] C:[backslash]WINDOWS[backslash]SMINST[backslash]RECGUARD.EXE
O4 - HKLM[backslash]..[backslash]Run: [SSC_UserPrompt] c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]Security Center[backslash]UsrPrmpt.exe
O4 - HKLM[backslash]..[backslash]Run: [ccApp] "c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]ccApp.exe"
O4 - HKLM[backslash]..[backslash]Run: [IS CfgWiz] c:[backslash]Program Files[backslash]Norton Internet Security[backslash]cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM[backslash]..[backslash]Run: [URLLSTCK.exe] c:[backslash]Program Files[backslash]Norton Internet Security[backslash]UrlLstCk.exe
O4 - HKLM[backslash]..[backslash]Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM[backslash]..[backslash]Run: [PS2] C:[backslash]WINDOWS[backslash]system32[backslash]ps2.exe
O4 - HKLM[backslash]..[backslash]Run: [LSBWatcher] c:[backslash]hp[backslash]drivers[backslash]hplsbwatcher[backslash]lsburnwatcher.exe
O4 - HKLM[backslash]..[backslash]Run: [AVG7_CC] C:[backslash]PROGRA~1[backslash]Grisoft[backslash]AVGFRE~1[backslash]avgcc.exe /STARTUP
O4 - HKLM[backslash]..[backslash]Run: [AVG7_EMC] C:[backslash]PROGRA~1[backslash]Grisoft[backslash]AVGFRE~1[backslash]avgemc.exe
O4 - HKLM[backslash]..[backslash]Run: [Zone Labs Client] "C:[backslash]Program Files[backslash]Zone Labs[backslash]ZoneAlarm[backslash]zlclient.exe"
O4 - HKLM[backslash]..[backslash]Run: [QuickTime Task] "C:[backslash]Program Files[backslash]QuickTime[backslash]qttask.exe" -atboottime
O4 - HKLM[backslash]..[backslash]Run: [2chkdsk] rundll32.exe "C:[backslash]WINDOWS[backslash]system32[backslash]bkeeavfu.dll",setvm
O4 - HKLM[backslash]..[backslash]Run: [SoundService] rundll32.exe "C:[backslash]WINDOWS[backslash]system32[backslash]omodgcsp.dll",setvm
O4 - HKLM[backslash]..[backslash]Run: [VaCtrls] v7
O4 - HKCU[backslash]..[backslash]Run: [Steam] "d:[backslash]steam[backslash]steam.exe" -silent
O4 - HKCU[backslash]..[backslash]Run: [MSMSGS] "C:[backslash]Program Files[backslash]Messenger[backslash]msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:[backslash]Program Files[backslash]Common Files[backslash]Adobe[backslash]Calibration[backslash]Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:[backslash]Program Files[backslash]Java[backslash]jre1.5.0[backslash]bin[backslash]npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:[backslash]Program Files[backslash]Java[backslash]jre1.5.0[backslash]bin[backslash]npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:[backslash]WINDOWS[backslash]PCHEALTH[backslash]HELPCTR[backslash]Vendors[backslash]CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US[backslash]IEButton[backslash]support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:[backslash]WINDOWS[backslash]PCHEALTH[backslash]HELPCTR[backslash]Vendors[backslash]CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US[backslash]IEButton[backslash]support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:[backslash]Program Files[backslash]Messenger[backslash]msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:[backslash]Program Files[backslash]Messenger[backslash]msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:[backslash]WINDOWS[backslash]PCHEALTH[backslash]HELPCTR[backslash]Vendors[backslash]CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US[backslash]IEButton[backslash]support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:[backslash]WINDOWS[backslash]PCHEALTH[backslash]HELPCTR[backslash]Vendors[backslash]CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US[backslash]IEButton[backslash]support.htm (HKCU)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:[backslash]PROGRA~1[backslash]Grisoft[backslash]AVGFRE~1[backslash]avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:[backslash]PROGRA~1[backslash]Grisoft[backslash]AVGFRE~1[backslash]avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:[backslash]Program Files[backslash]Common Files[backslash]InstallShield[backslash]Driver[backslash]1050[backslash]Intel 32[backslash]IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:[backslash]Program Files[backslash]iPod[backslash]bin[backslash]iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:[backslash]Program Files[backslash]Norton Internet Security[backslash]ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:[backslash]Program Files[backslash]Common Files[backslash]Macromedia Shared[backslash]Service[backslash]Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:[backslash]Program Files[backslash]Norton Internet Security[backslash]Norton AntiVirus[backslash]navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:[backslash]WINDOWS[backslash]system32[backslash]nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:[backslash]Program Files[backslash]Norton Internet Security[backslash]Norton AntiVirus[backslash]SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]SPBBC[backslash]SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:[backslash]Program Files[backslash]Common Files[backslash]Symantec Shared[backslash]Security Center[backslash]SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:[backslash]WINDOWS[backslash]system32[backslash]UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:[backslash]WINDOWS[backslash]system32[backslash]ZoneLabs[backslash]vsmon.exe

Any advice would begreatly appreciated. Thanks guys!

Tex Hex

#1
05 May, 2007, 10:10:51 PM

If you are running a legit XP or Vista you could give windows Defender a shot...

Unfortunately I dont really know enough about hijackthis.

-hex

Link: http://www.microsoft.com/athome/security/spyware/software/default.mspx" target="_blank">windows defender

WoD

#2
05 May, 2007, 10:11:04 PM
I enjoyed the story, but the ending...is it crap or is it just me not getting it?

If anyone wants the EE then say so quick as it is in the resyk bin.

I, Cosh

#3
05 May, 2007, 10:19:08 PM
If you don't get any answers here, give these forums a shot.

Link: http://forums.spywareinfo.com/" target="_blank">spyware info forums

We never really die.

Quirkafleeg

#4
05 May, 2007, 10:41:36 PM
You may have to throw Adaware and Spybot at it several times to clean it up completely. Also try searching with whatever symptoms you are getting, error messages etc, that will often turn up a forum entry, tips site etc that'll let you know what other tinkering under the hood you need to do.

Oh and let it be a lesson to you... no naughty surfing.

Wils

#5
06 May, 2007, 11:27:16 AM
Gah! Download and put your own PC at risk, but stop forwarding the bloody things to me will you?!

http://img.photobucket.com/albums/v89/hamaliel/spoons.jpg">

;)

Jared Katooie

#6
07 May, 2007, 08:38:11 PM
It was nothing pornographic! Just some... utilities...

In any case, thanks for your assistance. I'll have to investigate further and see what I can turn up...

See you spoon...

Tweak72

#7
08 May, 2007, 12:23:09 PM
"After visiting a site I probably shouldn't have and downloading a file I definitely shouldn't."

you didnt try and hack the FBI again did you?

http://www.biggercheese.com/comics/0332.png">
+++THRILL POWER, OVERWHELMING++++++THRILL POWER, OVERWHELMING+++

skull.ring

#8
09 May, 2007, 12:54:46 AM
just a thought - if you are running XP why not try and restore the pc to a point in time before you installed the dodgy program ?

You should find a direct link via Start > Help and Support

Cheers

Mark
Print
Go Up Pages1
User actions