Spybot registry entry change detected/won't go away

[fnugen]

I keep getting a Spybot registry entry change that no matter what I do it keeps popping up every 30secs or so. It is a "Browser page" Entry--search bar problem. I have no idea how to rid my system of this. I've ran AVG and spybot with system restore off then reboot.......comes back. EVERY TIME !!! I have no idea how to find where this annoying thing is living and how to get rid of it. I deny changes but it keeps respelling itself with nothing that is even a word. How do I get rid of this without reformatting ?

Thanks V

 

[Tarkus]

well Google led me to this. They seem big on the problem so you may want to read through and follow some of their links...

http://forums.net-integration.net/index.php?showtopic=21571

 

[Gunny]

What is the Registry entry?

If it "it keeps popping up every 30secs or so" then it is very probably being recreated by a continuously running background process. Look in the Processes tab of Windows Task Manager and see if there is a process whose name matches or very nearly matches anything in the contents of the Registry entry.

Also, find/download/run the free HijackThis utility. It is very good at finding things like this and letting you eliminate them.

Other free utilities that you might want to look at are RegCleaner and RegCool - if you haven't already done so.

HTH

 

[chiamt02]

Help needed with Search Bar entry

Hi guys,

I have a problem here and I need help badly.

Recently my spybot keeps popping up this registry entry change and ask me if I want to accept or deny it.
The entry is classified as such:-

Category: Browser Page
Change: Value change
Entry: Search Bar
Old data: www.setetyreutreyutr.com/werewtewtrgherty ...
New data: www.qqerwertewtywreytrt.com/qweqqwerwtr ...

A look at my task manager's running process shows nothing suspicious.
However after running HijackThis v1.9.7.7 I get the following log:-

Logfile of HijackThis v1.97.7
Scan saved at 12:19:27 AM, on 11/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Documents and Settings\Anot\Local Settings\Temporary Internet Files\Content.IE5\AT3CXCN6\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ajildirkgy.com/Hyi6TW4F8pJgi3WyhXYOL/wASHNf966MrsJan7RkNDVQuW_/XQOn3gGV9uG5g0DK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theserverside.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.starhub.net.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {6BFB0B39-E31C-2316-0995-04337D015230} - C:\DOCUME~1\Anot\APPLIC~1\OPTION~1\baitping.exe
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [ShareMonkey Speedup] C:\Program Files\Kazaa Lite\speed up.exe
O4 - HKLM\..\Run: [EPSON Stylus C61 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C61 Series" /O5 "LPT1:" /M "Stylus C61"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [e-motional Wallpaper Manager] c:\windows\e-motional desktop wallpaper manager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [internet grey bias acid] C:\Documents and Settings\All Users\Application Data\Browseplatforminternetgrey\BrowseLocks.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [AntiTest] C:\DOCUME~1\Anot\APPLIC~1\IDLEMP~1\Skip build.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: e-motional Desktop.lnk = C:\WINDOWS\e-motional Desktop Wallpaper Manager.exe
O4 - Global Startup: Shortcut to NJCOM.lnk = C:\Program Files\NJStar Communicator\NJCOM.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Voiceglo directory (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopets.com/glophone/neopets4.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/24aaf44dcaf649bd2406/netzip/RdxIE2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.117.31.131/activex/AxisCamControl.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb5/comdlg32.cab


I believe the entry in RED is the entry that is giving me this problem but after deleting it, it only take 30 secs before the entry is RE-created.
This shows that there is a background process spawning it but I can't find and/or remove it.

Please advise!
Thanks

Raymond

 

[RealBlackStuff]

Follow the start-instructions for D/L and install from any of my other Begintosearch-posts.

Uninstall Kazaa

I would let HJT clean out all those O9 Extra buttons. They will come bach as and when you use the proper programs.

Then run HJT and let it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ajildirkgy.com/Hyi6TW4F8...GV9uG5g0DK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theserverside.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.starhub.net.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {6BFB0B39-E31C-2316-0995-04337D015230} - C:\DOCUME~1\Anot\APPLIC~1\OPTION~1\baitping.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [ShareMonkey Speedup] C:\Program Files\Kazaa Lite\speed up.exe
O4 - HKLM\..\Run: [e-motional Wallpaper Manager] c:\windows\e-motional desktop wallpaper manager.exe
O4 - HKLM\..\Run: [internet grey bias acid] C:\Documents and Settings\All Users\Application Data\Browseplatforminternetgrey\BrowseLocks.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AntiTest] C:\DOCUME~1\Anot\APPLIC~1\IDLEMP~1\Skip build.exe
O4 - Startup: trillian.lnk = ?
O4 - Global Startup: e-motional Desktop.lnk = C:\WINDOWS\e-motional Desktop Wallpaper Manager.exe
O4 - Global Startup: Shortcut to NJCOM.lnk = C:\Program Files\NJStar Communicator\NJCOM.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Voiceglo directory (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopets.com/glophone/neopets4.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab27571.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/24aaf44dcaf649...tzip/RdxIE2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.117.31.131/activex/AxisCamControl.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/c...DI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb5/comdlg32.cab