PDA

View Full Version : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin



Umb47
2008-01-26, 19:36
Hi,
I have the same problem that LC Raptor has described in his post:I can't get rid of that reg key,SpyBot removes it but it is back every time I boot;the same happens if I delete the key from the registry myself.It apparently gives no problems however I would prefer to delete it.Can you help me? I assume you need the following data and here is the SmitfraudFix rapport.txt:

SmitFraudFix v2.274

Scan done at 11.39.35,57, 26/01/2008
Run from C:\Documents and Settings\Umberto\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\SSH Communications Security\SSH Sentinel\sshipm.exe
C:\Programmi\SSH Communications Security\SSH Sentinel\sshmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\progra~1\yahoo!\YCentral\YahooCentral.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TuneUp Utilities 2008\MemOptimizer.exe
C:\Programmi\Windows Media Player\WMPNSCFG.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Programmi\Opera\Opera.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Umberto


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Umberto\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Umberto\PREFER~1

C:\DOCUME~1\Umberto\PREFER~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Umberto\PREFER~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Umberto\PREFER~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programmi


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SSH Virtual Network Adapter (sshvnic) - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

Description: TL-WN321G USB Wireless Adapter #3 - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.30.1
DNS Server Search Order: 0.0.0.0

Description: TL-WN321G USB Wireless Adapter #3 - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1422C721-E51E-40A0-964D-084A9820E634}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{91319A62-D761-4D81-801F-234CCA164558}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DDB1745C-F520-4CF3-9363-C361AD358E98}: DhcpNameServer=192.168.30.1 0.0.0.0
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E58D9A0B-E793-49DC-9AFE-A3ACA12E1212}: NameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1422C721-E51E-40A0-964D-084A9820E634}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{91319A62-D761-4D81-801F-234CCA164558}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DDB1745C-F520-4CF3-9363-C361AD358E98}: DhcpNameServer=192.168.30.1 0.0.0.0
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E58D9A0B-E793-49DC-9AFE-A3ACA12E1212}: NameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1422C721-E51E-40A0-964D-084A9820E634}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{91319A62-D761-4D81-801F-234CCA164558}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DDB1745C-F520-4CF3-9363-C361AD358E98}: DhcpNameServer=192.168.30.1 0.0.0.0
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E58D9A0B-E793-49DC-9AFE-A3ACA12E1212}: NameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Umb47
2008-01-26, 19:55
Hi,
I repost in he right thread.
I have the same problem that LC Raptor has described in his post:I can't get rid of that reg key,SpyBot removes it but it is back every time I boot;the same happens if I delete the key from the registry myself.It apparently gives no problems however I would prefer to delete it.Can you help me? I assume you need the following data and here is the SmitfraudFix rapport.txt:

SmitFraudFix v2.274

Scan done at 11.39.35,57, 26/01/2008
Run from C:\Documents and Settings\Umberto\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\SSH Communications Security\SSH Sentinel\sshipm.exe
C:\Programmi\SSH Communications Security\SSH Sentinel\sshmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\progra~1\yahoo!\YCentral\YahooCentral.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TuneUp Utilities 2008\MemOptimizer.exe
C:\Programmi\Windows Media Player\WMPNSCFG.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Programmi\Opera\Opera.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Umberto


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Umberto\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Umberto\PREFER~1

C:\DOCUME~1\Umberto\PREFER~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Umberto\PREFER~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Umberto\PREFER~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programmi


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="Pagina iniziale corrente"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SSH Virtual Network Adapter (sshvnic) - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

Description: TL-WN321G USB Wireless Adapter #3 - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.30.1
DNS Server Search Order: 0.0.0.0

Description: TL-WN321G USB Wireless Adapter #3 - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1422C721-E51E-40A0-964D-084A9820E634}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{91319A62-D761-4D81-801F-234CCA164558}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DDB1745C-F520-4CF3-9363-C361AD358E98}: DhcpNameServer=192.168.30.1 0.0.0.0
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E58D9A0B-E793-49DC-9AFE-A3ACA12E1212}: NameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1422C721-E51E-40A0-964D-084A9820E634}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{91319A62-D761-4D81-801F-234CCA164558}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DDB1745C-F520-4CF3-9363-C361AD358E98}: DhcpNameServer=192.168.30.1 0.0.0.0
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E58D9A0B-E793-49DC-9AFE-A3ACA12E1212}: NameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1422C721-E51E-40A0-964D-084A9820E634}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{91319A62-D761-4D81-801F-234CCA164558}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DDB1745C-F520-4CF3-9363-C361AD358E98}: DhcpNameServer=192.168.30.1 0.0.0.0
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E58D9A0B-E793-49DC-9AFE-A3ACA12E1212}: NameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

tashi
2008-01-27, 00:37
Hi there.

I merged your two topics, please read the stickied procedure for this forum: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)



Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and don't run fixes until asked. This is especially important if your Operating System is Windows Vista!

Malware has become complex, people who use tools willy nilly may make their machine unstable.
Going it alone and following advice and fixes specifically given to another member is risky, your symptoms may only appear to be similar.Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if used on a computer with different infections.
Note: HJT Logs
Provide:
a) The HJT log.
b) The Kaspersky log report.

Copy/paste the logs requested into a new topic. I will close this one as helpers look for zero response.

Best regards. :)