Results 1 to 2 of 2

Thread: Help with registry changes please

  1. 2007-06-08, 13:11 #1
    wikki
    wikki is offline
    Junior Member
    Join Date
    Jun 2007
    Posts
    1

    Default Help with registry changes please

    Hi , a few days ago my explorer started to pop-up while surfing, its name was changed to Viva TermeX, S&D scan told me it was Zinblog.
    S&D was'nt able to kill it and i found more problems with registry changes.
    I have no protection installed, housecall doesn't work and i can't update windows sp2 to sp4.
    I deleted the svchost zinblog had made from my system folder yesterday as a wild guess, but still have the 2 registry changes and maybe more.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig!=0
    HKEY_USERS\S-1-5-21-448539723-484763869-1957994488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun!=W=0

    I'm already backing up some data now and prepare for a format, since my windows2000 has errors as well and wasn't properly installed in the first place.
    Can you give me advice what to try next please.
    Thanks wikki

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:07:42, on 8-6-2007
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    Boot mode: Normal

    Running processes:
    D:\WINNT\System32\smss.exe
    D:\WINNT\system32\winlogon.exe
    D:\WINNT\system32\services.exe
    D:\WINNT\system32\lsass.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\system32\spoolsv.exe
    D:\WINNT\System32\svchost.exe
    D:\WINNT\system32\regsvc.exe
    D:\WINNT\system32\MSTask.exe
    D:\WINNT\System32\WBEM\WinMgmt.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\Explorer.EXE
    D:\WINNT\system32\notepad.exe
    D:\WINNT\system32\notepad.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\incomin\up200\new up200\HiJackThis_v2.0.0.0.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - S-1-5-21-448539723-484763869-1957994488-1000 Startup: Publieke Omroeplezer.lnk = D:\Program Files\Publieke Omroeplezer\Polezer.exe (User '?')
    O4 - Startup: Publieke Omroeplezer.lnk = D:\Program Files\Publieke Omroeplezer\Polezer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINNT\system32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINNT\system32\browseui.dll
    O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
  2. 2007-06-14, 23:40 #2
    shelf life
    shelf life is offline
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi wikki,

    you should be using the non beta version of hjt, but at this point it dosnt really matter. for the malware you might have-- i would download,install, update and scan with one of these below (not both) or just go through with your reformat and start over clean, may solve all the problems. a reformat can do wonders for a computer.

    i think these will work with windows2000:

    superantispyware:
    http://www.superantispyware.com/

    avg anitspyware:
    http://free.grisoft.com/doc/20/lng/us/tpl/v5
    ------------------------------------
    since you dont have antivirus (it is possible to be ok without it if you practice safe hex)
    you really should also download,install update and scan with AVG antivirus:

    http://free.grisoft.com/doc/2/lng/us/tpl/v5

    shelf life
    How Can I Reduce My Risk?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules