Spybot find

toxicgreen

hi, thanks for reading my post...i run adaware and spybot daily, i get all the updates, and i run my AV often...spybot keeps finding the same thing, even after i fix it, i can immediately scan it again, and it shows again.
One of them is:
Hkey_users\s-1-5-19\software\microsoft\windows\currentversion\internetsettings\Zones\0\1004!=w=3

its some kind of gaming thing. I wish i could show you a screen shot of my registry and the files i found. I can't figure out how to insert it. There is a file called mchkr_zm_***
and there is a folder Zone.com. The contents have a little white icon with a red ab on it.
i wonder if i could delete these from the register.
Thanks again
Toxic

shwaip

Hi!

Please download and run hijackthis, available from the link in my sig. Place it in c:\hjt. Finally, post a hijackthis log here.

toxicgreen

here is my hijack this log.
Thanks Shwaip!

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A46FF49E-1C7A-4529-B97B-FE9132EAB2D7}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{A46FF49E-1C7A-4529-B97B-FE9132EAB2D7}: NameServer = 209.244.0.3 209.244.0.4

shwaip

Your log looks clean.

Here's some instructions I found for getting rid of that problem:

I suggest backing up your registry before making any changes.

Yes, you need to use Windows built-in registry editor, called REGEDIT (Start -> Run -> type in REGEDIT). Run REGEDIT and navigate to the following keys in the left hand windows, then delete their value entries in the right hand window:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-21-4184491853-266703958-3154202455-1005\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3

When finished, reboot your system. Once back up, run the scan again and see if the exploits are still there.

---

Ok, if you have a 1004 (Reg_Dword) entry, double click on it and make sure it is set to zero. If you have a 1004 (Reg_sz) entry, click on it once (to highlight it) and hit the Delete Key on the keyboard.

toxicgreen

YAYYYYY! Thanks Shwaip! That did it. It was scary editing the register. But now my spybot doesn't show me anything!
Thanks again for your help
Toxic