Registry Problems

[bcfcmeerkat]

Can some one help me i have just did a scan and it found 2 problems which i sent to the virus chest. I then did one with MALWAREBYTES and it came up wit this but will not delete theses problems on reboot. Here is a copy of my scans and logs.

Thank You

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:10:15, on 02/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\Paul\AppData\Roaming\MICROS~1\dllhst3g.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1008&m=aspire_7730
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoby.net/sb/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1008&m=aspire_7730
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Paul\AppData\Roaming\MICROS~1\dllhst3g.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [O2Start] C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\AppData\Local\Temp\logman.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [ComRepl] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\comrepl.exe /waitservice
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E8D0ED8-EDBB-4F79-8A87-CB2D7A5DCF0E}: NameServer = 82.132.136.102 82.132.136.103
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

--
End of file - 9031 bytes

[micky77]

Can you post the names and locations of the 2 files sent to the chest, and also can you copy/paste the MBAM scan ( which can be found, if you open mbam,and click on logs )

[bcfcmeerkat]

here is my malwarebytes log





Malwarebytes' Anti-Malware 1.35
Database version: 1932
Windows 6.0.6001 Service Pack 1

02/04/2009 13:38:40
mbam-log-2009-04-02 (13-38-25).txt

Scan type: Quick Scan
Objects scanned: 58794
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{08165ea0-e946-11cf-9c87-00aa005127ed} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7d559c10-9fe9-11d0-93f7-00aa0059ce02} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7fc0b86e-5fa7-11d1-bc7c-00c04fd929db} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{abbe31d0-6dae-11d0-beca-00c04fd940be} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f5175861-2688-11d0-9c5e-00aa00a45957} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEudinit (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Paul\AppData\Local\Temp\ieudinit.exe (Trojan.Agent) -> No action taken.

[bcfcmeerkat]

where can i find my scan logs please.

[Lisandro]

where can i find my scan logs please.

The reports of scanning in Home version are available only when the interface (skin) is opened and running.
The logs can be accessed at the 'a' blue icon on system tray (Log Viewer).

[micky77]

Iv'e been trying to determine if the entries

HKLM\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\AppData\Local\Temp\logman.exe /waitservice

HKCU\..\Policies\Explorer\Run: [ComRepl] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\comrepl.exe /waitservice

HKUS\S-1-5-18\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice

HKUS\.DEFAULT\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice

Google didn't really help,but now you have mentioned IEudinit (Trojan.Agent), a lot of the info for logman.exe and comrepl.exe are associated with this trojan. Although logman and comrepl are also legit vista files.


I will do some more digging (  you can too if you like )

According to the mbam log you did not fix those items, is that the case ?

[micky77]

After a lot of googling, I think those 4 entries, are related to ieudinit.exe. First I would try and fix the findings of MBAM. If they return, I would boot in safe mode,using  the f8 key method, and run MBAM in safe mode. You may want to consider using other programs, like SAS http://www.superantispyware.com/ and DRWEB Cureit http://www.freedrweb.com/cureit/ especially in safe mode.Also, you have not named the 2 threats found by Avast, so do a boot time scan http://www.digitalred.com/avast-boot-time.php

If all this fails, then I would fix the  following entries in HijackThis

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

O4 - HKLM\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\AppData\Local\Temp\logman.exe /waitservice

O4 - HKCU\..\Policies\Explorer\Run: [ComRepl] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\comrepl.exe /waitservice

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Logman] C:\Users\Paul\LOCALS~1\APPLIC~1\MICROS~1\logman.exe /waitservice (User 'Default user')

Then run all the above programs, and post back

[bcfcmeerkat]

I am sorry took so long to get back but here is the results of the last scans.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/05/2009 at 12:44 PM

Application Version : 4.26.1000

Core Rules Database Version : 3829
Trace Rules Database Version: 1785

Scan type       : Quick Scan
Total Scan Time : 00:26:09

Memory items scanned      : 775
Memory threats detected   : 0
Registry items scanned    : 489
Registry threats detected : 0
File items scanned        : 19342
File threats detected     : 4

Adware.Tracking Cookie
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@doubleclick[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@atdmt[1].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@serving-sys[2].txt
   C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Cookies\paul@bs.serving-sys[1].txt

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 6.0.6001 Service Pack 1

05/04/2009 12:52:42
mbam-log-2009-04-05 (12-52-42).txt

Scan type: Quick Scan
Objects scanned: 59764
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\comrepl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Paul\Local Settings\Application Data\comrepl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\mstinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[micky77]

Thats good. Did MBAM find those infected files because you fixed the entries with HJT ?
Also your new HJT log still has some entries to fix, did you do the HJT log before or after the MBAM findings ?

[bcfcmeerkat]

I did the SUPERAntispyware a couple of times first to clear them files. Then did the MBAM scan. Then the HJT scan after.

[micky77]

There is one entry
   F3 - REG:win.ini: load=C:\Users\Paul\AppData\Roaming\mstinit.exe

Mstinit.exe can be a legit file, although its not required at start up.However it can be related to the things MBAM found. Can you fix the 2 items then post another HJT log.It  mat be the case this thing will need more powerful tools to remove.

F3 - REG:win.ini: load=C:\Users\Paul\AppData\Roaming\mstinit.exe

BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

[Mr.Agent]

the exe you said look no a virus http://www.processlibrary.com/directory/files/mstinit/ google exist yeah xD

[micky77]

Actually looking at your first HJT log there was an entry

F3 - REG:win.ini: load=C:\Users\Paul\AppData\Roaming\MICROS~1\dllhst3g.exe

Once again dllhst3g.exe can be a legit file however if you look at the prevx link

http://www.prevx.com/filenames/X2844879228753338076-X1/DLLHST3G2EEXE.html

You  will see DLLHST3G.EXE, MSTINIT.EXE, LOGMAN.EXE, IEUDINIT.EXE, COMREPL.EXE are all related

[Mr.Agent]

i agree with micky now

[bcfcmeerkat]

Just deleted them two files in HJT then i had this warning from AVAST come up i ignored it as i did not now what to do. Hope u can advise and here is a copy of the new HJT log after

Thank You