TechSpot

Spybot registry entry change detected/won't go away

By fnugen
Nov 7, 2004
  1. I keep getting a Spybot registry entry change that no matter what I do it keeps popping up every 30secs or so. It is a "Browser page" Entry--search bar problem. I have no idea how to rid my system of this. I've ran AVG and spybot with system restore off then reboot.......comes back. EVERY TIME !!! I have no idea how to find where this annoying thing is living and how to get rid of it. I deny changes but it keeps respelling itself with nothing that is even a word. How do I get rid of this without reformatting ?

    Thanks V
     
  2. Tarkus

    Tarkus TechSpot Ambassador Posts: 621

  3. Gunny

    Gunny TS Rookie Posts: 66

    What is the Registry entry?

    If it "it keeps popping up every 30secs or so" then it is very probably being recreated by a continuously running background process. Look in the Processes tab of Windows Task Manager and see if there is a process whose name matches or very nearly matches anything in the contents of the Registry entry.

    Also, find/download/run the free HijackThis utility. It is very good at finding things like this and letting you eliminate them.

    Other free utilities that you might want to look at are RegCleaner and RegCool - if you haven't already done so.

    HTH
     
  4. chiamt02

    chiamt02 TS Rookie

    Help needed with Search Bar entry

    Hi guys,

    I have a problem here and I need help badly. :(

    Recently my spybot keeps popping up this registry entry change and ask me if I want to accept or deny it.
    The entry is classified as such:-

    Category: Browser Page
    Change: Value change
    Entry: Search Bar
    Old data: www.setetyreutreyutr.com/werewtewtrgherty ...
    New data: www.qqerwertewtywreytrt.com/qweqqwerwtr ...

    A look at my task manager's running process shows nothing suspicious.
    However after running HijackThis v1.9.7.7 I get the following log:-

    Logfile of HijackThis v1.97.7
    Scan saved at 12:19:27 AM, on 11/25/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Spybot\TeaTimer.exe
    C:\Program Files\Maxthon\Maxthon.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Documents and Settings\Anot\Local Settings\Temporary Internet Files\Content.IE5\AT3CXCN6\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ajildirkgy.com/Hyi6TW4F8pJgi3WyhXYOL/wASHNf966MrsJan7RkNDVQuW_/XQOn3gGV9uG5g0DK.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theserverside.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.starhub.net.sg:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: (no name) - {6BFB0B39-E31C-2316-0995-04337D015230} - C:\DOCUME~1\Anot\APPLIC~1\OPTION~1\baitping.exe
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [ShareMonkey Speedup] C:\Program Files\Kazaa Lite\speed up.exe
    O4 - HKLM\..\Run: [EPSON Stylus C61 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C61 Series" /O5 "LPT1:" /M "Stylus C61"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [e-motional Wallpaper Manager] c:\windows\e-motional desktop wallpaper manager.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [internet grey bias acid] C:\Documents and Settings\All Users\Application Data\Browseplatforminternetgrey\BrowseLocks.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
    O4 - HKCU\..\Run: [AntiTest] C:\DOCUME~1\Anot\APPLIC~1\IDLEMP~1\Skip build.exe
    O4 - Startup: trillian.lnk = ?
    O4 - Global Startup: e-motional Desktop.lnk = C:\WINDOWS\e-motional Desktop Wallpaper Manager.exe
    O4 - Global Startup: Shortcut to NJCOM.lnk = C:\Program Files\NJStar Communicator\NJCOM.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
    O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Voiceglo directory (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopets.com/glophone/neopets4.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/24aaf44dcaf649bd2406/netzip/RdxIE2.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.117.31.131/activex/AxisCamControl.cab
    O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb5/comdlg32.cab


    I believe the entry in RED is the entry that is giving me this problem but after deleting it, it only take 30 secs before the entry is RE-created.
    This shows that there is a background process spawning it but I can't find and/or remove it.

    Please advise!
    Thanks

    Raymond
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Follow the start-instructions for D/L and install from any of my other Begintosearch-posts.

    Uninstall Kazaa

    I would let HJT clean out all those O9 Extra buttons. They will come bach as and when you use the proper programs.

    Then run HJT and let it fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ajildirkgy.com/Hyi6TW4F8...GV9uG5g0DK.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theserverside.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.starhub.net.sg:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
    O2 - BHO: (no name) - {6BFB0B39-E31C-2316-0995-04337D015230} - C:\DOCUME~1\Anot\APPLIC~1\OPTION~1\baitping.exe
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [ShareMonkey Speedup] C:\Program Files\Kazaa Lite\speed up.exe
    O4 - HKLM\..\Run: [e-motional Wallpaper Manager] c:\windows\e-motional desktop wallpaper manager.exe
    O4 - HKLM\..\Run: [internet grey bias acid] C:\Documents and Settings\All Users\Application Data\Browseplatforminternetgrey\BrowseLocks.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [AntiTest] C:\DOCUME~1\Anot\APPLIC~1\IDLEMP~1\Skip build.exe
    O4 - Startup: trillian.lnk = ?
    O4 - Global Startup: e-motional Desktop.lnk = C:\WINDOWS\e-motional Desktop Wallpaper Manager.exe
    O4 - Global Startup: Shortcut to NJCOM.lnk = C:\Program Files\NJStar Communicator\NJCOM.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Voiceglo directory (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopets.com/glophone/neopets4.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab27571.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/24aaf44dcaf649...tzip/RdxIE2.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.117.31.131/activex/AxisCamControl.cab
    O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/c...DI/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...