Someone has control of my computer

Ok, looks good, one minor item to fix with HJT:

O2 - BHO: (no name) - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)

How is the machine behaving at this point?? Let me know.

I need to double check to see if there are any other additional scans\searches we need to perform on this machine. Those infections usually bugger alot up and I want to be certain we don't leave anything remaining and have all settings as they should be.

 

Ok, I'll take care of it. Things seem to be working as they should be. Spybot, AVG, and Sygate appear to be doing their job.

 

Ok, here is a check we need to run to see what if any registry entries are buggered up still.

Copy/paste the following code box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

Code:

cd %systemdrive%\ 
If not exist lsafiles MkDir lsafiles 
regedit /a /e lsafiles\1.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler 
regedit /a /e lsafiles\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE 
regedit /a /e lsafiles\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa 
regedit /a /e lsafiles\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole 
regedit /a /e lsafiles\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa 
regedit /e /a lsafiles\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA 
regedit /a /e lsafiles\7.txt  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" 
regedit /a /e lsafiles\8.txt  "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr" 
Regedit /a /e lsafiles\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies 
Regedit /a /e lsafiles\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies 
Regedit /a /e lsafiles\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall 
Regedit /a /e lsafiles\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall 
regedit /a /e lsafiles\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess 
regedit /a /e lsafiles\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess 
regedit /a /e lsafiles\15.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 
regedit /a /e lsafiles\16.txt  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" 
regedit /a /e lsafiles\17.txt  "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center" 
regedit /a /e lsafiles\18.txt  "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" 
regedit /a /e lsafiles\19.txt  "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\systemrestore" 
regedit /a /e lsafiles\20.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc 
regedit /a /e lsafiles\21.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr 


Copy lsafiles\*.txt = %systemdrive%\lsa.txt 
rmdir /s /q lsafiles 
Notepad %systemdrive%\lsa.txt 

Save it to your Desktop as inspect.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: inspect.bat

Locate inspect.bat on your Desktop and double-click it.
When finished it will open a file in Notepad.
That file will be named lsa.txt. Copy/paste the content in your reply.
When you close Notepad the CMD window will close automatically and the new folder will be deleted.

 

Here is the file, I'm glad you understand all this.....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type "=dword:00000120
"Start "=dword:00000003
"ErrorControl "=dword:00000001
"ImagePath "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName "= "Internet Connection Sharing "
"DependOnService "=hex(7):52,00,61,00,73,00,4d,00,61,00,6e,00,00,00,00,00
"DependOnGroup "=hex(7):00,00
"ObjectName "= "LocalSystem "
"Description "= "Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security "=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,20,02,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0 "= "Root\\LEGACY_SHAREDACCESS\\0000 "
"Count "=dword:00000001
"NextInstance "=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr]
"DependOnService "=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,54,00,63,00,70,00,\
49,00,70,00,00,00,00,00
"Description "= "Allows a remote user to log on to the system and run console programs using the command line. "
"DisplayName "= "Telnet "
"ErrorControl "=dword:00000001
"ImagePath "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,\
00,6c,00,6e,00,74,00,73,00,76,00,72,00,2e,00,65,00,78,00,65,00,00,00
"ObjectName "= "LocalSystem "
"Start "=dword:00000003
"Type "=dword:00000010

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr\Enum]
"0 "= "Root\\LEGACY_TLNTSVR\\0000 "
"Count "=dword:00000001
"NextInstance "=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission "=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM "= "Y "

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages "=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds "=hex:00,30,00,00,00,20,00,00
"Security Packages "=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,00,00
"LsaPid "=dword:000000ec
"SecureBoot "=dword:00000001
"auditbaseobjects "=dword:00000000
"crashonauditfail "=dword:00000000
"fullprivilegeauditing "=hex:00
"lmcompatibilitylevel "=dword:00000000
"restrictanonymous "=dword:00000000
"Notification Packages "=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom "= "y "
"SecureLsaInterfaceSupport "=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder "=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern "=hex:58,87,82,5a,26,86,d2,ea,d9,fc,b4,5f,69,c2,23,4f,39,31,62,65,30,\
39,61,64,00,fd,06,00,01,00,00,00,a8,00,00,00,b4,00,00,00,54,fa,06,00,7d,3e,\
65,76,04,00,00,00,b0,fd,06,00,a8,fd,06,00,6b,69,37,53

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup "=hex:87,4c,a3,55,c6,3a,30,0b,52

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup "=hex:8a,5d,f0,18,e5,d5

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132 "= "IISSUBA "

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix "=hex:35,2b,d2,38,92,0a,22,3b,34,80,08,66,51,87,f4,f9

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time "=hex:50,2f,9f,61,8d,13,c7,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name "= "Digest "
"Comment "= "Digest SSPI Authentication Package "
"Capabilities "=dword:00004050
"RpcId "=dword:0000ffff
"Version "=dword:00000001
"TokenSize "=dword:0000ffff
"Time "=hex:00,20,07,08,5e,4f,c2,01
"Type "=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name "= "DPA "
"Comment "= "DPA Security Package "
"Capabilities "=dword:00000037
"RpcId "=dword:00000011
"Version "=dword:00000001
"TokenSize "=dword:00000300
"Time "=hex:00,60,4e,96,aa,40,bf,01
"Type "=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name "= "MSN "
"Comment "= "MSN Security Package "
"Capabilities "=dword:00000037
"RpcId "=dword:00000012
"Version "=dword:00000001
"TokenSize "=dword:00000300
"Time "=hex:00,60,4e,96,aa,40,bf,01
"Type "=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun "=dword:00000095


Mitchell

 

Actually, I don't get most of it, I got the reg search from my go-to gal, Blender, who knows everyddamn thing!!!

She has infected herself tons of times with these things and knows what they do, and created this custom search tool.

I'll be back with any additional procedures soon as she gets a gander at this.