CCleaner is reporting an error in registers and offering to fix, but each time I fix it, it just show again in next scan. So I took a look in regedit and yes - one can't delete it.
The file Flash9b.ocx is not even existing anyway. I also tried end up all applications, finally even Eplorer and regedit was the only one application that run - yet I was still unable to remove this registers entry.
Anyone got a clue why?
I took a look using Process View and there is not any hidded processes anyway. Runscanner reporting nothing suspicious also.
And the problem persist, so there is the HijackThis log. Farily small, right? IE is removed completely from my system, so no worries about it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:46:44, on 27.4.2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\explorer.exe
D:\Tools\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - S-1-5-21-436374069-1677128483-839522115-500 Startup: network_passwords.lnk = D:\Install\network_passwords.bat (User '?')
O4 - S-1-5-21-436374069-1677128483-839522115-500 Startup: Folding.lnk = D:\Tools\folding\winFAH.exe (User '?')
O4 - Startup: network_passwords.lnk = D:\Install\network_passwords.bat
O4 - Startup: Folding.lnk = D:\Tools\folding\winFAH.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{299ADB4A-0E73-4CC7-87FE-750E65FB05B9}: NameServer = 82.114.192.15,82.114.192.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{299ADB4A-0E73-4CC7-87FE-750E65FB05B9}: NameServer = 82.114.192.15,82.114.192.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{299ADB4A-0E73-4CC7-87FE-750E65FB05B9}: NameServer = 82.114.192.15,82.114.192.6
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetMeeting - Vzdálené sdílení plochy (mnmsrvc) - Unknown owner - C:\WINNT\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
--
End of file - 1959 bytes
network_passwords.bat containing:
net use \\server\D /user:trodas xxx
net use \\trodas-jlx\D /user:trodas xxx
net use \\webserver\D /user:trodas xxx
net use \\testing\D /user:trodas xxx
net use \\testing2\D /user:trodas xxx
net use \\testing3\D /user:trodas xxx
net use \\testing4\D /user:trodas xxx
net use \\testing5\D /user:trodas xxx
net use \\duron\D /user:ivanka ""
net use \\jlx-comp\D /user:jlx ""
net use \\jlx-comp2\D /user:jlx ""
net stop "Network DDE"
net stop "Network DDE DSDM"
net stop PnkBstrB
net stop PnkBstrA
Very secure passwords
PS: added Runscanner log, just to be sure.
Attached Files
Edited by trodas, 27 April 2008 - 12:17 PM.