Author Topic: "Registry entry has been changed" pop ups  (Read 6298 times)

0 Members and 1 Guest are viewing this topic.

Delighted

  • Guest
"Registry entry has been changed" pop ups
« on: April 03, 2009, 05:22:11 PM »
Last week, I got a pop up saying my real player needed to be updated in order to play a video I was trying to veiw on a website.  While it was updating, i got a pop up from my spybot search and destroy that this update was trying to change something in the registry.  I don't know enough about this, but I figured that since i was updating something, I should allow change.  (I don't know what it was that was about to be changed, I didn't write that down)

Well, since then, every time I turn on the computer, I get several pop ups-- I actually thought to write these down!  

"Spybot search and Destroy has detected an important registry entry that has been changed"

System start up global entry value detected
Entry: rmoc3260dll.Dcx
Old data: regsvr32exe/c (this is in C:windows\system\32\rm)

Then there's another from Spybot S&D

Entry: rpbrowserrecordplugin.dll.ocx
Old data: regsvr32.exe/s  (C:Program files\real\real)

I always click deny change.  And it comes up every time I start up the computer.

Here is what I have done so far:

First, I tried to run my Avast AV--It wouldn't even start--some pop up saying I couldn't use it.  I went to ADD/REMOVE in control panel, and it wouldn't remove--again, something about some file not being available.  (I'm sorry i didn't write these down at the time)

Second, I ran CCleaner, Spybot and Ad-aware.  
Those found sume stuff that I got rid of (Put in the program's chests)  Some were high risk, but most were negligible risk.

After that, I was able to run my AV.  I did a deep scan.

After the scan was done, it said several files couldn't be scanned because they were password protected.  These were in Documents and Settings, and there were a lot of them-- I think the number was 190!  

As far as i know, I have not set up any files that are password protected!  I am the "Administrator" and this is a home use computer.

I'm sorry i didn't think to write any of these down before today, and if you need me to rerun any of the scans to find out what it says, I will do so. I don't know if you'd need this, but I will paste a copy of the HiJack This scan, too.

THANKS!!



ooops! I can't paste the HiJack this file, I got an error thingy saying I had exceeded the maximum allowed length in my post!


Oh yeah, one other thing I tried to do-- I tried to do a system restore to a date before I had done the Real Player upgrade, and I got some "unable to restore" type of message saying some file was missing.  Again, I didn't write that down-- I can go back and find out what it is if you need.

« Last Edit: April 03, 2009, 05:30:09 PM by Delighted »

micky77

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #1 on: April 03, 2009, 05:43:30 PM »
You can split your HJT log into several posts.Seeing as Spybot found something, then I would download MalwareBytes Antimalware, and SuperAntispyware. Download install, updatethaen run quick scans with both.Report back the results ( copy/paste the logs )

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

Did Avast find anything ?

Delighted

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #2 on: April 03, 2009, 09:25:46 PM »
Micky77, thanks for helping me.

I've been doing thorough scans with the programs you recomended.
I'll paste the results in several posts, because I don't know when I'd reach the maximum number of characters!  ::)  I'll post the Hijack this log, too.

No, the Avast scan didn't find anything, other than being unable to scan those "password protected" files. 

log file for Malware bytes:

Malwarebytes' Anti-Malware 1.35
Database version: 1938
Windows 5.1.2600 Service Pack 2

4/3/2009 2:19:55 PM
mbam-log-2009-04-03 (14-19-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 244833
Time elapsed: 59 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Delighted

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #3 on: April 03, 2009, 09:34:39 PM »
Logfile for Superantispyware:  Part 1

(I just cleared cookies yeterday or the day before!)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2009 at 03:07 PM

Application Version : 4.26.1000

Core Rules Database Version : 3828
Trace Rules Database Version: 1784

Scan type       : Complete Scan
Total Scan Time : 00:38:56

Memory items scanned      : 544
Memory threats detected   : 0
Registry items scanned    : 6982
Registry threats detected : 0
File items scanned        : 32118
File threats detected     : 91

Adware.Tracking Cookie
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@bs.serving-sys[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@web4.realtracker[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@trafficmp[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@revsci[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@fastclick[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@tribalfusion[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@www.burstnet[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@a1.interclick[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@advertising[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@www.googleadservices[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@tacoda[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@ads.associatedcontent[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@ad.yieldmanager[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@ad.womensforum[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@collective-media[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@yieldmanager[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@atdmt[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@www.traffic[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@traffic[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@serving-sys[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@burstnet[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@cdn4.specificclick[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@bluestreak[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@dmtracker[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@adrevolver[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@media6degrees[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@insightexpressai[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@server.iad.liveperson[3].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@media.adrevolver[3].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@ads.bluelithium[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@2o7[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@specificmedia[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@casalemedia[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@interclick[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@questionmarket[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@ads.pointroll[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@invitemedia[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@at.atwola[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@247realmedia[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@server.iad.liveperson[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@doubleclick[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@eb.adbureau[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@media.adrevolver[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@mediaplex[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@specificclick[2].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@apmebf[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@adserver.adtechus[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@richmedia.yahoo[1].txt
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@rotator.adjuggler[1].txt
   C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt
   C:\Documents and Settings\Mom\Cookies\mom@doubleclick[1].txt
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application

Delighted

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #4 on: April 03, 2009, 09:35:46 PM »
Superantispyware log pt 2:

Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .doubleclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adopt.specificclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .specificclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adopt.specificclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adopt.specificclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adopt.specificclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adopt.specificclick.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adinterax.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .adinterax.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .questionmarket.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .questionmarket.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .tremor.adbureau.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .tremor.adbureau.net [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .interclick.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .interclick.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .interclick.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .bluestreak.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .burstnet.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .burstnet.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   www.burstnet.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .bs.serving-sys.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .advertising.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .advertising.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .advertising.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   media.adrevolver.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   .atdmt.com [ C:\Documents and Settings\Mom.TEACHERTOY\Application Data\Thinstall\Mozilla Firefox\%AppData%\Mozilla\Firefox\Profiles\24qayx9s.default\cookies.txt ]
   C:\Documents and Settings\Mom.TEACHERTOY\Cookies\mom@stats.paypal[2].txt

Delighted

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #5 on: April 03, 2009, 09:42:12 PM »
HiJack this log pt 1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:05 PM, on 4/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Wireless\Wireless.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe

Delighted

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #6 on: April 03, 2009, 09:43:04 PM »
Hijackthis log pt 2:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StandardKeyboard] C:\WINDOWS\Wireless\Wireless.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll"
O4 - HKLM\..\RunOnce: [rpbrowserrecordplugin.dll OCX] regsvr32.exe /s "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9511 bytes


YoKenny

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #7 on: April 03, 2009, 09:46:12 PM »
@Delighted
It looks like you are still running XP SP2 and SP3 has been available for almost a year that has several Critical Updates that needs to be installed so in IE go to Tools then Windows Update and install all detected updates.

Run Secunia Online Software Inspector to seewhat other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Please post an updated HijackThis log split into two parts after you have completed the update.

There is a way to prevent those tracking cookies from installing and I'll show you how later.

micky77

  • Guest
Re: "Registry entry has been changed" pop ups
« Reply #8 on: April 03, 2009, 10:51:40 PM »
I have had a quick look at your HTJ log ( i will look again tomorrow ) and can see no problems. There are two entries related to the files you mentioned

O4 - HKLM\..\RunOnce: [rpbrowserrecordplugin.dll OCX] regsvr32.exe /s "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll"

O4 - HKLM\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll"

These appear to be legit realplayer files.

You have run the very best anti spyware/adware programs,all they have found is cookies, and a registry enrty ( deleted ), which was probably a leftover from what spybot/adaware removed.

I am not too familiar with spybot, i used it long ago. These alerts are coming from the 'teatimer' which alerts to registry changes ( good and bad )
In my personal opinion,I think you have allowed a registry change ( real player update ) and when spybot alerts on reboot, you deny the change, causing a repetetive loop.( I remember something similar, when i used spybot )
Anyway,sorry to ramble. My real concern is you say Avast would not run for a period.
So for peace of mind, please run online scans with Kaspersky and Eset ( nod ) You may have to install activex software ( perfectly safe ),
You could also post on the spybot forum if you wish.

http://www.kaspersky.co.uk/virusscanner

http://www.eset.com/onlinescan/

Please post back the results

Also your java is outdated, please update ( java can be a serious security flaw )
« Last Edit: April 03, 2009, 11:23:36 PM by micky77 »