Options
Omg my comp got pwned
Hi.
Some time b4 new year i got Vundo trojan,i spent alot of time trying to get it from my sistem,i used symantec vundo removal and spybot.i had norton antivirus on all the time,and it looked like that trojan destroyed it totally,it stopped responding.2 week after spybot was still pointing to awvvw.dll as it has Virtumonde trojan,b4 that same .dll was Vundo.i did everything possible to get rid of it, running check in safe mods,with internet/system restore off.....spybot kept asking to rerun at system start up but no mater how many times i did it nothing happened.week ago i somehow manage to shrade and delete that awvvw.dll that was causing all the trouble and after next start up....
All users on my Computer have password now,so i cant log in as any of them(i never set any PW) there is no hint or anything.
I can log in only as a Guest ones after system restart.i can go on the web only on firefox, IE and rest of windows stuff got screwed up,i cant reset any user PW with compmanagment thing,i get massage "the workstation is not initialized.and the worth thing is ...
i just got from vacation,first time in my life i went to the sea with my family and i had tons of pictures,those pictures stored under my users name,and i cant asses then in any way,not talking about that i cant install run or change anything on my comp,it keeps asking for admin rights,witch guest don't have....
PLZ HELP
QQ
P.S. i cant install program that gives u log files too...i might have windows or spybot logs if i can use them
Some time b4 new year i got Vundo trojan,i spent alot of time trying to get it from my sistem,i used symantec vundo removal and spybot.i had norton antivirus on all the time,and it looked like that trojan destroyed it totally,it stopped responding.2 week after spybot was still pointing to awvvw.dll as it has Virtumonde trojan,b4 that same .dll was Vundo.i did everything possible to get rid of it, running check in safe mods,with internet/system restore off.....spybot kept asking to rerun at system start up but no mater how many times i did it nothing happened.week ago i somehow manage to shrade and delete that awvvw.dll that was causing all the trouble and after next start up....
All users on my Computer have password now,so i cant log in as any of them(i never set any PW) there is no hint or anything.
I can log in only as a Guest ones after system restart.i can go on the web only on firefox, IE and rest of windows stuff got screwed up,i cant reset any user PW with compmanagment thing,i get massage "the workstation is not initialized.and the worth thing is ...
i just got from vacation,first time in my life i went to the sea with my family and i had tons of pictures,those pictures stored under my users name,and i cant asses then in any way,not talking about that i cant install run or change anything on my comp,it keeps asking for admin rights,witch guest don't have....
PLZ HELP
P.S. i cant install program that gives u log files too...i might have windows or spybot logs if i can use them
0
Comments
Unfortunately the users don't actually have passwords - the logon was damaged by incorrect changes made to some sensitive registry settings malware also used. A guess, of course, but a likely reason for the password requirements now. If this includes the computer's actual Administrator account there may not be any easy repair here, since you no longer have admin access to create new accounts, to then transfer older account personal data to. You don't mention what operating system this is, as Vista is even more restricted in that area.
A repair install, if you have access to the same operating system CD (including any service pack updates) maybe, but again this repairs system issues and not user account issues. Another option is to slave this hard drive to a different working computer and see if you can transfer the data that way, then reformat and reinstall the hard drive.
Can you access the registry - go to Run, type regedit (and OK)?
In the Registry Editor, navigate to the following key (use the "+" symbols in the left panel to expand the tree entries):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Then right click on that LSA "folder", select "Export" and save that as lsa.reg.
If so, then right click on lsa.reg, select Edit, and copy/paste those contents back here.
Also see if you can run a different, non-executable scan. Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners if needed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:42 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Guest\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E0906D0-6D27-46BA-8DA2-163FE3CD6E2C} - C:\WINDOWS\System32\awvvw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [b40fed2b] rundll32.exe "C:\WINDOWS\system32\wddugyja.dll",b
O4 - HKLM\..\Run: [BMb73cdeb7] Rundll32.exe "C:\WINDOWS\system32\whutiyev.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5210] command /c del "C:\WINDOWS\system32\awvvw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8275] cmd /c del "C:\WINDOWS\system32\awvvw.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1659004503-329068152-682003330-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1659004503-329068152-682003330-501\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1198987903703
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198983692046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198983978718
O20 - AppInit_DLLs:
O20 - Winlogon Notify: rteiceyk - rteiceyk.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5400 bytes
Lsa file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002e0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:61,00,2a,fb,47,88,98,0a,72,84,3d,be,ef,20,90,3b,61,62,35,61,33,\
35,31,36,00,68,07,00,01,00,00,00,d8,00,00,00,e0,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,e0,88,73,02
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:57,74,b4,87,ef,70,75,ff,44
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:fd,e5,86,69,60,93
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:66,3d,e0,59,33,d2,76,f2,95,62,75,d3,7a,f4,fe,dc
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:ec,ef,f0,b2,a7,4a,c8,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,36,f3,d1,e7,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,36,f3,d1,e7,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,36,f3,d1,e7,79,c4,01
"Type"=dword:00000031
Thanks for your time.
Let's return the missing value and see - possible it might aid the situation. Keep that reg file you just created as a backup as well. If something does not work correctly after this next change, just right click it and allow it to Merge with the registry.
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry. Reboot.
After the reboot again attempt to logon as a different user, and for now just post back the answer to my question about using programs/tools and anything that may have changed after this reg change done please.
First things first.i couldn't copy text from your post to notepad,i could copy, but no paste option was on in notepad,so i went to Lsa file that i made copy:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
from there and changed it to:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Saved it like u sad as a fixer.reg and tried to merge,as a did that i got msg:
"Cannot import C:\......\fixer.reg : Not all data was successfully written to registry.Some keys are open by system or other processes."
Tried to run in safe mod,but safe mod have no guest so i cant even log in.
What else i did...Compmgmnt.msc i tried to change PW using that command
went to users and reset PW.im getting msg:
"Cant change PW for this user: The Workstation service has not been started"
Also as windows starts 2 rundll commands pop up with errors:
"Error loading c:windows\system32\wddugyja.dll
The specified module could not be found"
"error loading c:\windows\system32\whutiyev.dll
Access is denied"
My main concern is my new years and vacation pictures that stored under my users name,i wonder if reinstalling windows will erase my users and all the files with them?
Thank u for your time.
I am not real eager to suggest starting repairs on an already damaged setup, but not seeing much of a choice here. A real fact caution - this system is not only seriously infected, but as you know crippled by some incorrect changes made after. I cannot guarantee our efforts will not still result in the need to reformat and reinstall the operating system.
Having said that, let's proceed with some repairs here. These steps are created based on normal system access, so modify some if needed there. But if Safe Mode is indicated you will need to do the steps in Safe Mode.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download SDFix.exe and save it to your desktop. However, I would like you to rename the file as you download it (do not download it directly without renaming it).Rename the download file to george.exe, so george.exe is downloaded and saved to your desktop.
===================================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
Click on the renamed SDFix file george.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
After the reboot Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it). For this rename the downloading file to matt.exe, then click the renamed matt.exe to run that scan.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.
(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)
Post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please.
Im performing full SDF scan atm...
i checked new Lsa file and it looks like no changes have been made to it,by fixer.reg....
ill post some as soon as SDF done with scan....
P.S. at this moment there is no way i can log in in safe mod,i cant get admin rigts or log as admin or any user in safe mode
a-squared Command Line Scanner - Version 3.0
Last update: N/A
Scan settings:
Objects: Memory, Traces, Cookies, C:
Scan archives: On
Heuristics: Off
ADS Scan: On
Scan start: 2/27/2008 1:14:28 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Policies --> {6BF52A52-394A-11D3-B153-00C04F79FAA6} detected: Trace.Registry.Command Service
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Products --> compname detected: Trace.Registry.BestsellerAntivirus
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Products --> prodname detected: Trace.Registry.BestsellerAntivirus
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Products --> rdomain detected: Trace.Registry.BestsellerAntivirus
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR --> cmd detected: Trace.Registry.BitTorrent Smart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR --> configversion detected: Trace.Registry.BitTorrent Smart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR --> i detected: Trace.Registry.BitTorrent Smart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR --> nextupdate detected: Trace.Registry.BitTorrent Smart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR --> p detected: Trace.Registry.BitTorrent Smart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR --> version detected: Trace.Registry.BitTorrent Smart
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:13 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:71 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:81 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:122 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:139 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:142 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:143 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:144 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:145 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:182 detected: Trace.TrackingCookie
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\895e0ptv.default\cookies.txt:183 detected: Trace.TrackingCookie
C:\Program Files\Messenger\lavuha.dll detected: Trojan.Win32.BHO.ab
C:\Program Files\Messenger\lavuha132.dll detected: Trojan.Win32.BHO.ab
C:\Program Files\Messenger\lavuha832.dll detected: Trojan.Win32.BHO.ab
C:\Program Files\Messenger\profsyvy.html detected: Trojan-Clicker.HTML.IFrame.dn
C:\WINDOWS\system32\aacmtuww.fzd detected: Adware.Win32.Virtumonde.dhz
C:\WINDOWS\system32\config32\updater.dll detected: Trojan-Downloader.Win32.Small.hnc
C:\WINDOWS\system32\ijdyryse.dll.vir detected: Adware.Win32.Virtumonde.dnn
C:\WINDOWS\system32\lev2\aroblcidr2.exe detected: Trojan-Downloader.Win32.Small.buy
Scanned
Files: 42088
Traces: 165113
Cookies: 193
Processes: 7
Found
Files: 8
Traces: 10
Cookies: 11
Processes: 0
Quarantined
Files: 4
Traces: 10
Cookies: 11
Processes: 0
Scan end: 2/27/2008 1:46:27 PM
Scan time: 0:31:59
System report:
System Report
*************
Run on Wed 02/27/2008 at 01:59 PM
Microsoft Windows XP [Version 5.1.2600]
Current user is not an administrator
Running Processes:
C:\WINDOWS\Explorer.EXE [1472]
C:\WINDOWS\system32\ctfmon.exe [1736]
C:\Program Files\Mozilla Firefox\firefox.exe [1860]
Drivers - Running:
Drivers - Stopped:
Services - Running:
Services - Stopped:
Files Created/Modified - 60 Days:
C:\
C:\WINDOWS\
C:\Program Files\
Files with hidden attributes:
Catchme:
disk not found C:\
please note that you need administrator rights to perform deep scan
Program Folders:
C:\Program Files\
Adobe
Ahead
Common Files
Disc2Phone
DivX
DivX_3.1alpha
DivXCodec
Electronic Arts
eMule
Google
InstallShield Installation Information
Internet Explorer
Messenger
Microsoft ActiveSync
Microsoft Encarta
microsoft frontpage
Microsoft Office
Microsoft.NET
mIRC
Movie Maker
Mozilla Firefox
MSN
MSN Gaming Zone
MSN Messenger
NavNT
NCSoft
Nero
NetMeeting
Online Services
Outlook Express
QuickTime
Real
Sony
Spybot - Search & Destroy
Symantec
Tasker3.13
Uninstall Information
Ventrilo
Winamp
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
WinZip
xerox
??crosoft.NET
C:\Program Files\Common Files\
Adobe
Ahead
Blizzard Entertainment
DirectX
EasyInfo
InstallShield
Microsoft Shared
MSSoap
ODBC
Real
SpeechEngines
Symantec Shared
System
Wise Installation Wizard
Add/Remove Programs:
Run Values:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\""
"b40fed2b"="rundll32.exe \"C:\\WINDOWS\\system32\\wddugyja.dll\",b"
"BMb73cdeb7"="Rundll32.exe \"C:\\WINDOWS\\system32\\whutiyev.dll\",s"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"
"SpybotDeletingA5210"="command /c del \"C:\\WINDOWS\\system32\\awvvw.dll_old\""
"SpybotDeletingC8275"="cmd /c del \"C:\\WINDOWS\\system32\\awvvw.dll_old\""
Bot Check:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="20000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000004
"Shell"="Explorer.exe"
"userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"
ShellExecuteHooks:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"=""
Environment:
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\QuickTime\QTSystem\
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
CLASSPATH REG_SZ .;C:\Program Files\QuickTime\QTSystem\QTJava.zip
QTJAVA REG_SZ C:\Program Files\QuickTime\QTSystem\QTJava.zip
SecurityProviders:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Authentication Packages:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Error: Value: "Authentication Packages" does not exist!
Subsystem Startup:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
Midi Drivers:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi1"="wdmaud.drv"
"midi"="wdmaud.drv"
"midi2"="wdmaud.drv"
Non-Default IFEO Debugger:
Non-Default Installed Components:
Non-Default Safeboot Minimal:
File Associations:
[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"
[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"
[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"
[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""
[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
Finished!
it did some changes,i noticed "asses denied" msgs 2 times,after it did the check asked to reboot,but didn't start again after restart.
SDFix: Version 1.148
Run by Guest on Wed 02/27/2008 at 02:37 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
thats all that was in report file.
as im trying to run combo fix,i get error:"Some files could not be crated.
Please close all applications,reboot Windows and restart this installation"
if i try to save it to C:\ i get msg,that "U cant save files to this dir,u dont have admin rights"
and here is newest LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:45 PM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Guest\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E0906D0-6D27-46BA-8DA2-163FE3CD6E2C} - C:\WINDOWS\System32\awvvw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [b40fed2b] rundll32.exe "C:\WINDOWS\system32\wddugyja.dll",b
O4 - HKLM\..\Run: [BMb73cdeb7] Rundll32.exe "C:\WINDOWS\system32\whutiyev.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5210] command /c del "C:\WINDOWS\system32\awvvw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8275] cmd /c del "C:\WINDOWS\system32\awvvw.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1659004503-329068152-682003330-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1198987903703
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198983692046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198983978718
O20 - AppInit_DLLs:
O20 - Winlogon Notify: rteiceyk - rteiceyk.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5131 bytes
Any help is very appreciated.
Which I have also attached as a zipped file. Download and unzip that and see if you can merge that with the registry (right click/Merge).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002e0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:61,00,2a,fb,47,88,98,0a,72,84,3d,be,ef,20,90,3b,61,62,35,61,33,\
35,31,36,00,68,07,00,01,00,00,00,d8,00,00,00,e0,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,e0,88,73,02
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:57,74,b4,87,ef,70,75,ff,44
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:fd,e5,86,69,60,93
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:66,3d,e0,59,33,d2,76,f2,95,62,75,d3,7a,f4,fe,dc
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:ec,ef,f0,b2,a7,4a,c8,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,36,f3,d1,e7,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,36,f3,d1,e7,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,36,f3,d1,e7,79,c4,01
"Type"=dword:00000031
unzip your file,merge it with registry,got prom about "cannot import some keys",reboot comp,went to regerit,export newlsa and post it here.
Tnx.
New report gives same msg about missing authentication packages.
At any time prior to 4:16 P.M. your time, Go to Start - Run, type cmd (and Enter). At the prompt type (copy/paste) the following:
at 16:16 /interactive regedt32.exe
Then right at 4:16 the Registry Editor window will open. The time I use is just an example - replace that with some time 5 minutes advanced of the current time, when you are ready to do this step.
When the Registry Editor window opens, locate and right click on the LSA key, and select New -> Multi-String Value.
Then in the box created for that new Value type Authentication Packages (and hit Enter).
Right click on the new Authentication Packages Value and type msv1_0 and hit Enter again (that last character is a zero, not an "O").
Should i type it in manually in to Lsa?,or do we need /interactive command?
Then try that interactive command again. But if you can get that LSA value changed please do so.
As soon as i open services.msc i get error:"Unable to open service control manager database on.Error 5:Access is denied."
QQ this is getting scary....
Tnx for your time.
One option is to attempt a Repair Install, which would save personal data but restore specific system info. Not sure you mentioned - do you have an XP CD, or the means of accessing one? It would need to be the same service pack upgrade as whatever was installed here originally (if this was an XP SP1 install later upgraded to SP2, you can use an XP SP1 CD)?
Yes i had SP1 installed first and then upgrade it to sp2,i might have CD or i might find one.so as i understand i need to repair windows with same SP as was originally installed first time? witch is SP1.or i can use any winXP CD?
Another thing is that,i was using TeaTimer from spybotS&D just b4 problem occurred,i used it do block all changes done to registry by virtumonde and rest of viruses i had.
As my main goal is to save or restore My pictures folder,witch is in my user account.
As i understand by repairing the windows with winXP cd will not erase accounts on my computer?
Im in the process of finding CD now,im gonna post with any updates on this issue.
Thank you for your time Thomas.
Tnx for your time.
Gonna take 6h to download ,ill keep in touch.
Tnx
I got an error:"An error using COM/OLE occurs.Please check the installation of COM on your computer"
Windows does not recognize my DVD burner as a burner,just DC/DVD rom.
When i try to install original DVD-R drivers i get admin thing again.I guess im gonna have to ask my brother to burn it for me.KNOPPIX idea sounds very good to me,b/c im still afraid that im gonna erase my files by trying to repair Windows,so i want to try it first,if i get files out i will reformat/reinstall WinXP.
Tnx for your help.