Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Axe


  • Please log in to reply
9 replies to this topic

#1 math.u

math.u

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 12 December 2005 - 11:58 AM

Logfile of HijackThis v1.99.1
Scan saved at 16:51:57, on 12/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\SpyAxe\spyaxe.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microfost Windows update] dngcdvj.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E13385F-E9D2-4BBA-9EC7-149798FBDF46}: NameServer = 194.72.9.38 194.74.65.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E13385F-E9D2-4BBA-9EC7-149798FBDF46}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 December 2005 - 05:32 PM

Hi math.u and Welcome to the Bleeping Computer!


Download SpyAxeFix.exe noahdfear, and save it to your desktop.
  • Close all other programs and windows.
  • Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder.
  • Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool.
  • At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes.
  • A text file named spyaxe.txt will be created in the SpyAxeFix folder.
  • Post the contents of that log please.
Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKCU\..\Run: [Microfost Windows update] dngcdvj.exe

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Locate and Delete if found

C:\WINDOWS\System32\vbsys2.dll


Open the Search Assistant(Click Start-> Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced Options

Now under All Files and Folders,enter this into the text box:

dngcdvj.exe<- Delete all instance found that match exactly.


Still in Safe Mode-> From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind-> Panda and spyaxe.txt

#3 math.u

math.u
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 15 December 2005 - 08:51 PM

Hi, thanks for looking into this for me. I lost it with the computer and formatted my drives as i didnt really have anything imprtant on it. I still think somethings lurking tho. I run spybot and it keeps coming up with LSA . Will my computer still be infected and should i still carry on with your instructions. Thanks, Mat

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 December 2005 - 05:19 AM

Did you fully wipe the drive and Reload Windows or did you do a repair install?

#5 math.u

math.u
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 16 December 2005 - 09:34 PM

Yup, I fully wiped it and reinstalled windows.

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2005 - 05:32 AM

If you fully wiped the drive,then I seriously doubt you have any issues and are now a very happy camper!

Can you tell me the exact item Spybot is picking up?

Edited by Cretemonster, 17 December 2005 - 05:33 AM.


#7 math.u

math.u
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 28 December 2005 - 11:31 AM

Hi, It Just comes up with LSA and doesnt give me any further information on it. It sais it fixes it but doesnt. Next time I run spybot it comes up again. There is no running problems from my computer tho, Its fine. Thanks, mat

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2005 - 04:27 PM

Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter LSA for a search of the registry and post back any results in the next reply.

#9 math.u

math.u
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 04 January 2006 - 08:31 PM

Ok, Heres what it came up with


REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "lsa" 05/01/2006 01:27:56

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11d1-8D03-00A0C959BC0A}\ProgID]
@="DHTMLSafe.DHTMLSafe.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11d1-8D03-00A0C959BC0A}\VersionIndependentProgID]
@="DHTMLSafe.DHTMLSafe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHTMLSafe.DHTMLSafe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHTMLSafe.DHTMLSafe\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHTMLSafe.DHTMLSafe\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHTMLSafe.DHTMLSafe\CurVer]
@="DHTMLSafe.DHTMLSafe.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHTMLSafe.DHTMLSafe.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHTMLSafe.DHTMLSafe.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CE04B590-2B1F-11D2-8D1E-00A0C959BC0A}]
@="IDHTMLSafe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1FC78E8-B380-11D1-ADC5-006008A5848C}]
@="_DHTMLSafeEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist\0]
"FileName"="lsasrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist\14]
"FileName"="lsasrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885835\Filelist\0]
"FileName"="lsasrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885835\Filelist\11]
"FileName"="lsasrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885835\Filelist\14]
"FileName"="lsasrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885835\Filelist\7]
"FileName"="lsasrv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/AuditBaseObjects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/CrashOnAuditFail]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/DisableDomainCreds]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/EveryoneIncludesAnonymous]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/FIPSAlgorithmPolicy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/ForceGuest]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/FullPrivilegeAuditing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/LimitBlankPasswordUse]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/LmCompatibilityLevel]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/MSV1_0/NTLMMinClientSec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/MSV1_0/NTLMMinServerSec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/NoDefaultAdminOwner]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/NoLMHash]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/RestrictAnonymous]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/RestrictAnonymousSAM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/SubmitControl]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"LsaPid"=dword:00000214

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\Windows NT Access Provider]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Data]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\GBG]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\JD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\msv1_0]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Skew1]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SSO\Passport1.4]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ScsiPort\SpecialTargetList\ScannerLinoHellSAPHIR3_________]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\SysProcs]
"lsass.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\LSA]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\LSA\ObjectNames]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\LsaSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Npfs\Aliases]
"lsass"=hex(7):70,72,6f,74,65,63,74,65,64,5f,73,74,6f,72,61,67,65,00,6e,65,74,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"LsaPid"=dword:00000214

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\AccessProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\AccessProviders\Windows NT Access Provider]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\Data]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\GBG]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\JD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\msv1_0]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\Skew1]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SSO\Passport1.4]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\digest.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msnsspc.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ScsiPort\SpecialTargetList\ScannerLinoHellSAPHIR3_________]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\SysProcs]
"lsass.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\LsaSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Npfs\Aliases]
"lsass"=hex(7):70,72,6f,74,65,63,74,65,64,5f,73,74,6f,72,61,67,65,00,6e,65,74,\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LsaPid"=dword:00000214

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ScsiPort\SpecialTargetList\ScannerLinoHellSAPHIR3_________]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs]
"lsass.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\LsaSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases]
"lsass"=hex(7):70,72,6f,74,65,63,74,65,64,5f,73,74,6f,72,61,67,65,00,6e,65,74,\

[HKEY_USERS\S-1-5-21-1409082233-602162358-725345543-1003\Software\Macromedia\Shockwave 8\uicontrol\sw3dbaddriverlist1]
@="*2k*savage/ix!^5.12.01.7012$79x=stbnvidiatnt16mb!=4.10.01.9131$o2k=diamondstealthiiis530!=5.12.01.8007-8.30.24$72k=m!=5.00.2180.3711$***=atigraphicsproturbopci(atim64-gx)!^9999.0.0.0$ont=nvidiageforce256!=4.00.1381.0327$****virge!^9999.0.0.0$*9x=ibmthinkpad(cyber9397dvd)!=4.10.01.2173$79x=mach64:ragepro!=4.11.2560$*2k=m!^5.12.01.1200$o9x=intel®82810graphicscontroller!=4.12.01.2656$o**=m!^5.12.01.1509$o2k=3dfxvoodooseries!=5.00.2195.0197$ont=3dfxvoodooseries!=4.00.1381.0229$o2k=diamondstealthiiis540!=5.12.01.8007-8.30.24$*9x*permedia2!^4.10.01.2359$****mystique!^9999.0.0.0$*9x*g400!^4.12.1.1710$***=2164w!^9999.0.0.0$*9x=mach64:ragepro!^4.10.1720$ont*3dblasterriva!^4.03.00.2100$ont*nvidia!^4.00.1381.0508$79x*nvidia!^4.12.01.0513$o9x*diamondviperv770!^4.11.01.0402$****g100!^9999.0.0.0$59x*nvidiariva128!=4.10.1713$ont*radeon!^4.3.3109$o2k*voodoobanshee!=5.00.2195.2b$o***permedia3!^4.12.01.2107$o***ragefury!^4.3.139$o***rage128glagp!=4.00$ont*voodoo4!=4.00.1381.0229$o2k*s3inc.savage/mx!^5.12.1.7026$ont*3dfxvoodoo3!^4.00.1381.0391$ont=voodoo55500pci!^4.00.1381.0229$*9x=mach64:ragepro!^4.11.2611$*9x=2064w!^4.10.1682$79x=diamondviperv330!=4.10.01.0014$ont*nvidiarivatnt2!^4.00.1381.0631$*9x*g450!^4.12.1.1709$o***g450!^4.12.01.1799$*9x*xpert@play!^4.10.2237$****trio!^9999.0.0.0$79x*voodooo3!^4.11.01.1204$o9x*voodoo3!^4.11.01.7160$*2k*voodooseries!^5.00.2195.0232$79x*voodoo3!^4.12.01.1225$72k*voodoo3!^5.00.2180.58$o2k=elsagloriasynergy!=5.00.2180.1$72k=elsagloriasynergy!=5.00.2180.1$79x=glintdelta+glintmx!^4.10.0106$79x*rageii!=4.10.2165$59x*rageii!=4.10.2165$*9x=3dlabsoxygengvx1!^4.12.01.2107-0828$59x*cyber9397dvd!^4.11.01.2177$79x=mach64lt!^4.11.2022$79x=mach64gt!^4.11.2474$o9x*atirage128glsdagp!^4.12.6269$o9x*nvidia!=4.12.01.0618$ont*nvidia!=4.00.1381.0618$o2k*nvidia!=5.12.01.0618$***=unknown!=unknown$o9x*nvidia!=4.12.01.0650$59x=mach64gt!^4.03.00.2030$59x=mach64gt!^4.03.00.2030$59x*810chipset!^4.11.01.2506$"

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 January 2006 - 04:40 PM

OK,now give me the exact message you are getting from Spybot?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users