Sarwar
2010-04-03, 23:53
Hi,
My server has been infected with regedit virus. below are the details:
I have been at it for 4 days pls. help. tried lot of things, but not much result
therfore I am here for help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:26 AM, on 4/4/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\IMail\IMonitor.exe
C:\IMail\iwebmsg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\StatisticsServer\mhss.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\IMail\POP3D32.exe
C:\IMail\queuemgr.exe
C:\Program Files\RemotelyAnywhere\RAMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\IMail\smtpd32.exe
C:\IMail\SYSLOGD.exe
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\inetsrv\w3wp.exe
D:\RootRepeal.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Administrator\Desktop\RRT.exe auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - ESC Trusted Zone: http://www.clamav.net
O15 - ESC Trusted Zone: http://*.cottonsbycentury.com
O15 - ESC Trusted Zone: http://files.f-prot.com
O15 - ESC Trusted Zone: http://*.hostingcontroller.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://mirror.internode.on.net
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://202.71.136.119
O15 - ESC Trusted IP range: http://202.71.136.118
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196099723500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = indiaaccess.com
O17 - HKLM\Software\..\Telephony: DomainName = indiaaccess.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6388DB3-368B-4DEA-B3AA-767387FE4302}: Domain = dca2.superb.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6388DB3-368B-4DEA-B3AA-767387FE4302}: NameServer = 66.36.226.50,207.228.225.50,207.228.226.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = indiaaccess.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dca2.superb.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dca2.superb.net
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - C:\IMail\FINGRD32.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Hosting Controller Client (HCClient) - Hosting Controller - C:\Program Files\Advanced Communications\Hosting Controller 7C\Web\Bin\HCClient.exe
O23 - Service: IMail LDAP Server (ILDAP) - Ipswitch, Inc. - C:\IMail\ILDAP.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - C:\IMail\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - C:\IMail\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - C:\IMail\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - C:\IMail\iwebmsg.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Statistics Server (mhss) - Unknown owner - C:\StatisticsServer\mhss.exe
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - C:\IMail\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - C:\IMail\PSERVE.exe
O23 - Service: IMail Queue Manager Service (QueueMgr) - Ipswitch, Inc. - C:\IMail\queuemgr.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Laboratories PL - C:\Program Files\RemotelyAnywhere\RAMaint.exe
O23 - Service: RemotelyAnywhere - 3am Laboratories PL - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - C:\IMail\smtpd32.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - C:\IMail\SYSLOGD.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - C:\IMail\WHOISD32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8106 bytes
Malwarebyte log:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Regards
Sarwar
--------------------------------
[URL=http://forums.spybot.info/showthread.php?t=288] "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) [/url
My server has been infected with regedit virus. below are the details:
I have been at it for 4 days pls. help. tried lot of things, but not much result
therfore I am here for help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:26 AM, on 4/4/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\IMail\IMonitor.exe
C:\IMail\iwebmsg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\StatisticsServer\mhss.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\IMail\POP3D32.exe
C:\IMail\queuemgr.exe
C:\Program Files\RemotelyAnywhere\RAMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\IMail\smtpd32.exe
C:\IMail\SYSLOGD.exe
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\inetsrv\w3wp.exe
D:\RootRepeal.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Administrator\Desktop\RRT.exe auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - ESC Trusted Zone: http://www.clamav.net
O15 - ESC Trusted Zone: http://*.cottonsbycentury.com
O15 - ESC Trusted Zone: http://files.f-prot.com
O15 - ESC Trusted Zone: http://*.hostingcontroller.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://mirror.internode.on.net
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://202.71.136.119
O15 - ESC Trusted IP range: http://202.71.136.118
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196099723500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = indiaaccess.com
O17 - HKLM\Software\..\Telephony: DomainName = indiaaccess.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6388DB3-368B-4DEA-B3AA-767387FE4302}: Domain = dca2.superb.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6388DB3-368B-4DEA-B3AA-767387FE4302}: NameServer = 66.36.226.50,207.228.225.50,207.228.226.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = indiaaccess.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dca2.superb.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dca2.superb.net
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - C:\IMail\FINGRD32.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Hosting Controller Client (HCClient) - Hosting Controller - C:\Program Files\Advanced Communications\Hosting Controller 7C\Web\Bin\HCClient.exe
O23 - Service: IMail LDAP Server (ILDAP) - Ipswitch, Inc. - C:\IMail\ILDAP.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - C:\IMail\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - C:\IMail\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - C:\IMail\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - C:\IMail\iwebmsg.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Statistics Server (mhss) - Unknown owner - C:\StatisticsServer\mhss.exe
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - C:\IMail\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - C:\IMail\PSERVE.exe
O23 - Service: IMail Queue Manager Service (QueueMgr) - Ipswitch, Inc. - C:\IMail\queuemgr.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Laboratories PL - C:\Program Files\RemotelyAnywhere\RAMaint.exe
O23 - Service: RemotelyAnywhere - 3am Laboratories PL - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - C:\IMail\smtpd32.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - C:\IMail\SYSLOGD.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - C:\IMail\WHOISD32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 8106 bytes
Malwarebyte log:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Regards
Sarwar
--------------------------------
[URL=http://forums.spybot.info/showthread.php?t=288] "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) [/url