Stange RegKey

[JohnDemolition]

anyone wanna tell me why it only appears in CCleaner and why other programs such as RegEdit and RegSeeker can't find it?

 

edit:i almost forgot. CCleaner can't delete it.

[krit86lr]

You should post a HJT log. I don't know alot, but I know that's funky.

[JohnDemolition]

there's really no point beacuse my computer is very protected but since you asked,

Logfile of HijackThis v1.99.1

Scan saved at 11:55:11 AM, on 3/5/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Downloads\Programs and Misc\TaskSwitchXP\TaskSwitchXP.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Downloads\Programs and Misc\ObjectDock\ObjectDock.exe

C:\Program Files\WhatPulse\WhatPulse.exe

C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\foobar2000\foobar2000.exe

C:\Program Files\Opera\Opera.exe

C:\Downloads\Programs and Misc\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TaskSwitchXP] C:\Downloads\Programs and Misc\TaskSwitchXP\TaskSwitchXP.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Downloads\Programs and Misc\ObjectDock\ObjectDock.exe

O4 - Startup: WhatPulse.lnk = C:\Program Files\WhatPulse\WhatPulse.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126397185109

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -

O16 - DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} (Java Plug-in) -

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

[krit86lr]

I meant in the HJT thread silly!

 

Did you manually look in your registry for it? Was it there?

[JohnDemolition]

i've already answered that last question in my first post

[krit86lr]

i've already answered that last question in my first post

 

No you didn't. You said that your other registry cleaners can't find it. Did you go into your registry and look for that key?

[Andavari]

It doesn't make much sense that CCleaner would detect it and not be able to remove it, and I think it's redundant to tell you to "make sure your using an admin account" because you most likely already know that. What's really strange is using RegEdit you can't see it. When you stated that RegSeeker can't find it were you talking about using its registry cleaning portion, or its search registry function.

 

You may want to try Sysinternals RootkitRevealer, hence it will find some malformed registry entries rather they are rootkit based or not, getting rid of what it finds is a whole other matter.

[JohnDemolition]

No you didn't. You said that your other registry cleaners can't find it. Did you go into your registry and look for that key?

 

ummm yeah i did. just so you know, regedit is the tool made by Microsoft to browse the registry. i believe i have already stated that it can't find it .

 

@Andvari: i pretty much mean every program besides CCleaner can't find it; even other Registry Cleaners.

as for the Rootkit Revealer, i'll try it.

[AndyManchesta]

Hi John

 

Here's a few options that may help.

 

First Disable Spybots Tea Timer as it could interfere with fixing entries. (Right click the teatimer icon in the system tray and choose exit. It will come back on after the next startup)

 

Try Ccleaner again and see if it can remove the entry.

 

If not open Notepad and save the next part into it

 

 

regedit /e Look.txt "HKEY_CLASSES_ROOT\?"notepad Look.txt

 

 

Press File from the top bar of Notepad and Choose 'Save As' , Name it Find.bat, Change the 'Save as Type' to All Files then save it to your desktop.

 

Double click Find.bat to run the batch script, If it displays 'Cannot find the Look.txt file' then it doesn't exist, If notepad opens and displays some registry values then it does exist.

 

Assuming it does exist, Open notepad again and save this into it making REGEDIT4 the top line in Notepad.

 

 

REGEDIT4[-HKEY_CLASSES_ROOT\?]

 

 

Save it as type 'All Files' again and this time call it Remove.reg then save it to your desktop, Double click remove.reg and allow it to be merged into the Registry.

 

If you saved the first batch file to your desktop and it found the entry then there will be a text file called Look.txt. Delete this file and then run the Find.bat again, If the regfix worked it should then show 'Look.txt cannot be found' , To confirm it was removed run Ccleaner on issues again to make sure it doesnt show in the scan.

 

If the batch file finds the reg entry again after using the Regfix then it means the permissions need looking at on that Reg key to enable full control to Administrators, but I can explain that in more detail if the entry does exist and cannot be removed.

 

Regarding your Hijack Log these can be fixed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in) -

O16 - DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} (Java Plug-in) -

 

Your Proxy Server settings also look abit strange as it doesnt specify the Proxy Address or the Port Number but I've left that off the list as it maybe genuine. You would probably know better about the Proxy Settings in place on your system so I will leave that one for you to decide

 

The R1 entries are from Yahoo but you are being redirected when you use the Search Bar, Red Client Apps is Red Sheriff so they should be removed. You can read more about Red Sheriff Here & Here.

 

Hope That Helps

 

Andy

[krit86lr]

i've already answered that last question in my first post

 

Yeah, I'm a dork. I didn't pay close attention obviously.

[Andavari]

 

regedit /e Look.txt "HKEY_CLASSES_ROOT\?"notepad Look.txt

 

 

I just wanted to say that's a darn good tip!

[JohnDemolition]

I just wanted to say that's a darn good tip!

 

it's too bad that regedit doesn't even save the file.

[AndyManchesta]

I just wanted to say that's a darn good tip!

Hi Andavari, It does make things alot faster and saves having to manually search the registry so I thought It maybe useful here. As I'm sure you already know it can be used to export any key from the registry. Another which is useful is to check the Run Keys

 

regedit /e HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"regedit /e HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"copy HKLMRun.txt + HKCURun.txt = Run.txtdel /q HKLMRun.txtdel /q HKCURun.txtnotepad Run.txtdel /q Run.txt

 

If you want to keep the text file it creates then remove the last line (del /q Run.txt)

 

@John

 

If you need more help let us know what happens when you run the batch file. I created the key on myown system yesterday to make Ccleaner find the exact same entry as yours, The batch file shows it the first time but after running the regfix neither Ccleaner or the Batch file finds the key. You should also be running them with the Admin account incase there are any restrictions on that registry key.