PDA

View Full Version : 21:38 Registy change denied keeps poping-up


patrykrebisz
2006-10-17, 06:41
SOme malicious software wanted to do something to my registy so i asid "Decline" and checked the "remember my setting" box. Yet that software is so stuborn that it keeps asking to change the registy.

I ran S&D and yet that malwareof a kind keeps asking ... what can i DO???

Here is my log:


--- Search result list ---


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)


--- Startup entries list ---
Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\AVGFRE~1\avgcc.exe
size: 369664
MD5: 5ff72bb3dd3d7a206fbab530de76521a

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 777424
MD5: 3207bba7a51043ff2c5d64df4c3b6310

Located: HK_CU:Run, Active Desktop Calendar
command: C:\Program Files\Active Desktop Calendar\ADC.exe
file: C:\Program Files\Active Desktop Calendar\ADC.exe
size: 1683456
MD5: 8de3a4ca47ef3edf5446dfcb2da75544

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: Startup (common), M-Audio MobilePre Control Panel Launcher.lnk
command: C:\Program Files\M-Audio MobilePre\MPTask.exe
file: C:\Program Files\M-Audio MobilePre\MPTask.exe
size: 61440
MD5: a2840244d80197dd25c9fc68bb331b4d

Located: Startup (common), Post-itŪ Software Notes Lite.lnk
command: C:\Program Files\Post-it Lite\PsnLite.exe
file: C:\Program Files\Post-it Lite\PsnLite.exe
size: 1622016
MD5: 606dc8dd862921b7f6efb4d06256e809

Located: Startup (user), Adobe Gamma.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (user), OpenOffice.org 2.0.lnk
command: C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
file: C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
size: 61440
MD5: 5cb03ee68f33c0bdf5484d36ef7f1212



--- Browser helper object list ---
{4CA11008-B342-55B5-8056-6D5508F7784F} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: tvknvipr.dll

{67B7BE40-210B-4622-9CD2-FB2AE23BA583} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: oehn.dll

{AA58ED58-01DD-4d91-8333-CF10577473F7} ()
BHO name:
CLSID name:
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein



--- ActiveX list ---
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class)
DPF name:
CLSID name: FilePlanet Download Control Class
Installer:
Codebase: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
description:
classification: Open for discussion
known filename: FilePlanetDownloadCtrl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: FilePlanetDownloadCtrl.dll
Short name: FILEPL~1.DLL
Date (created): 5/8/2004 1:59:54 PM
Date (last access): 10/16/2006 2:20:20 PM
Date (last write): 5/8/2004 1:59:54 PM
Filesize: 294912
Attributes: archive
MD5: A45F787F39FC9D5D5E2D492021E5946C
CRC32: 2CB67741
Version: 1.0.0.42

{4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2)
DPF name:
CLSID name: InstallShield Setup Player 2K2
Installer:
Codebase: http://www.ipswitch.com/_installs/wsftp_le/setup.exe
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{56336BCB-3D8A-11D6-A00B-0050DA18DE71} ()
DPF name:
CLSID name:
Installer:
Codebase: http://software-dl.real.com/03ac5fb28351af8f6f23/netzip/RdxIE601.cab
description: Netster
classification: Confirmed as malware
known filename:
info link:
info source:

{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_05
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_05\bin\
Long name: NPJPI150_05.dll
Short name: NPJPI1~1.DLL
Date (created): 8/26/2005 7:14:48 PM
Date (last access): 10/16/2006 2:19:54 PM
Date (last write): 8/26/2005 7:33:54 PM
Filesize: 69746
Attributes: archive
MD5: 52A85771BE18C9C00732F475A2C192AE
CRC32: 525AE3AD
Version: 5.0.50.5



--- Process list ---
PID: 0 ( 0) [System]
PID: 456 ( 4) \SystemRoot\System32\smss.exe
PID: 504 ( 456) \??\C:\WINDOWS\system32\csrss.exe
PID: 528 ( 456) \??\C:\WINDOWS\system32\winlogon.exe
PID: 572 ( 528) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 584 ( 528) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 752 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 820 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 888 ( 572) C:\Program Files\Windows Defender\MsMpEng.exe
size: 14032
MD5: E7E81C6BCD697F5921DF6D6781D2673D
PID: 948 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1044 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1120 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1468 ( 572) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1608 ( 572) C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
size: 336896
MD5: 9BF46D959F713D64C8FF3DE2B2437863
PID: 1644 ( 572) C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
size: 84480
MD5: 66093610FA61142F6BCFD83AFB7E8A29
PID: 1692 ( 572) C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
size: 49152
MD5: EB06EA2F55838814063837C113D54554
PID: 1716 ( 572) C:\WINDOWS\System32\nvsvc32.exe
size: 110659
MD5: 8FB3996085D399475BACE196CA981A0A
PID: 1756 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1776 ( 572) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 432 ( 572) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1208 ( 948) C:\WINDOWS\system32\wuauclt.exe
size: 124184
MD5: EBF1AB7E4FC05CABF2F4680D2A45F827
PID: 1360 (1344) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1828 (1360) C:\PROGRA~1\AVGFRE~1\avgcc.exe
size: 369664
MD5: 5FF72BB3DD3D7A206FBAB530DE76521A
PID: 1836 (1360) C:\Program Files\Windows Defender\MSASCui.exe
size: 777424
MD5: 3207BBA7A51043FF2C5D64DF4C3B6310
PID: 1676 (1360) C:\Program Files\Active Desktop Calendar\ADC.exe
size: 1683456
MD5: 8DE3A4CA47EF3EDF5446DFCB2DA75544
PID: 1768 (1360) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 1196 (1360) C:\Program Files\M-Audio MobilePre\MPTask.exe
size: 61440
MD5: A2840244D80197DD25C9FC68BB331B4D
PID: 1332 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 896 (1360) C:\Program Files\Post-it Lite\PsnLite.exe
size: 1622016
MD5: 606DC8DD862921B7F6EFB4D06256E809
PID: 3164 ( 896) C:\PROGRA~1\POST-I~1\PSNGive.exe
size: 65536
MD5: A0D5AFEEEB21A0FD9480165FBAAC0298
PID: 3168 (2632) C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
size: 2334720
MD5: 3FD1EE43138AF0786F3DDE71B7C72062
PID: 3200 (3168) C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
size: 2478080
MD5: BC0434DF65EA25EAAEFAAAB20F021CD1
PID: 3260 (1360) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7190637
MD5: 43658E87F7B183F2245491FBCC695E05
PID: 3584 (1360) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 10/16/2006 9:41:00 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page_bak
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com


--- Winsock Layered Service Provider list ---
md usa spybot fan
2006-10-28, 18:38
patrykrebisz:

Please show us what registry changes you are denying:
Go into Spybot > Mode > Advanced Mode > Tools > Resident > page (scroll) to the bottom of the listing and highlight a portion of the log that shows the registry changes that you are denying, then right click and select Copy. Paste the log entries (Ctrl+V) to another post in this thread.
Bowser05
2006-10-29, 21:51
The same thing has started happening to me recently too. I will post the log if I can open Spybot...it isn't letting me. On the actual little Resident box that keeps on popping up it says the following:

12:46 Registry change denied
Resident denied the change of {EF99BD32-C1FB-11D2-892F-0090271D4F88} (category Global browser toolbar) based on your black list

I don't know why I can't open Spybot it let me earlier.