• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Air4Andy

About:Blank "Search for" page and virus sex

15 posts in this topic

Hello all,

First like to say I am very computer literate so I know what I'm talking about, but I come to you for help. I picked up some malware off the net (go figure) this one hijacked my start page and made it the about:blank page except that it says "Search for..." and it normally has a popup with 4 sets of animated viruses getting it on (kinda funny) but it is annoting as hell.

 

At first thought nothing of it. Ran Ad-Aware. I believe that got rid of it... maybe not... either way it came back later that night and by morning the start page was taken over again. So ran Ad-Aware, CWShredder, and HiJackThis all came up with something fishy, so I trashed it all. Symantec Corporate also ran that night but found nothing. It seemed to be gone.

Day and a half later, with no one using the net in that time, I found it had renamed my Notepad.exe to Notepad.exe.bak and my wmplayer.exe to wmplayer.exe.bak. I fixed them back and ran all the programs again. Ok gone. Nope. Less than 6 hours later it came back, notepad and wmplayer intact still, but start page back to the same "Search for" and same spyware and virus sex popups. I am running these programs right now:

 

Latest Ad-Aware: 7 instances of CoolWebSearch gone, some other cookies, possible browser hijack attempts, all gone, ok.

 

CWShredder v1.59.1: Found CWS.Searchx REMOVED. All else clean.

 

Latest Spybot S&D: Found more cookies, a DSO Exploit (reg changes, and ie changes), and the eZula installer and program, all fixed.

 

Then I ran a StartupList and will post the log in a little bit.

 

Now I am running the Latest HiJackThis. Here is the log for HiJackThis and then the Startup list...

 

 

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Logfile of HijackThis v1.97.7

Scan saved at 8:51:09 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Andrew Aken\Desktop\Tools\HiJackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {646511DF-97CA-4740-8F27-40B197C5B881} - c:\windows\system32\klgmhe.dll (file missing)

O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8115.5352199074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{70E4DF3F-3745-4CBF-BC2D-E5928F6598C4}: NameServer = 24.196.64.39,24.196.64.40

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

 

 

 

 

 

 

ADAWARE DELETED THE FILE REFERED TO BY THE O2 ABOVE, so my guess to trash that.

 

 

 

 

 

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

StartupList report, 6/30/2004, 8:49:17 PM

StartupList version: 1.52

Started from : C:\Documents and Settings\Andrew Aken\Desktop\Tools\StartupList.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Andrew Aken\Desktop\Tools\StartupList.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Andrew Aken\Start Menu\Programs\Startup]

ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

(Default) = C:\WINDOWS\Options\OEMReset.exe /Audit

CHotkey = mHotkey.exe

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"

WINDVDPatch = CTHELPER.EXE

UpdReg = C:\WINDOWS\UpdReg.EXE

Jet Detection = C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - c:\windows\system32\klgmhe.dll (file missing) - {646511DF-97CA-4740-8F27-40B197C5B881}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8115.5352199074

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

 

--------------------------------------------------

End of report, 4,780 bytes

Report generated in 0.250 seconds

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

 

Anyone have any ideas? My system looks clean now. The page is gone. My notepad / player are intact... but for how long? Someone please check over these logs and I will keep you updated if I see it back in the next 4 hours. Thank you much in advance, but this one is almost kicking my ass.

Share this post


Link to post
Share on other sites

Hi Andy, I'm experiencing similar issues and we have several start-up files in common (04 hijackthis codes) that I can't find information for. I'm going to delete them and see what happens. Attached is a copy of my hijack this log with notes next to items that I'm cleaning up. You might find them helpful. The key to the left has been preceded with one of my own after doing the research suggested by the hijack this tutorial.

 

Key -

 

U - user discretion to keep or delete

Y - keep for necessary functionality

N - not necessary

? - not sure

X - known malware

not found - no information available on these (I'm deleting. No offense, but if your post is the only hit I get in a google search and you're having similar problems, I'm getting rid of them!)

 

 

U - O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

Y - O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

U - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

? - O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

N - O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

U - O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

U - O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe (keyboard functionality)

U - O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe (McAfee)

U - O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee)

U - O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe (McAfee)

? - O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

N - O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (Sys tray icon for RealPlayer)

X - O4 - HKLM\..\Run: [winmain] winmain.exe (see start-ups for link)

not found - O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Wszv.exe (remove per computercops.biz)

X - O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

N - O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe

not found - O4 - HKLM\..\Run: [NIqz.exe] C:\documents and settings\other\local settings\temp\NIqz.exe ( suspect, Air4Andy )

not found - O4 - HKLM\..\Run: [lQu3Htnr.exe] C:\documents and settings\other\local settings\temp\lQu3Htnr.exe ( suspect, Air4Andy )

X - O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost35.exe (IEDriver adware variant)

not found - O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Other\LOCALS~1\Temp\app7.tmp (suspect )

not found - O4 - HKLM\..\Run: [AutoLoader3Fw61OWgKZaU] "C:\WINDOWS\System32\dskistub.exe" /PC="AM.WILD" /HideUninstall ( remove per amazingtechs.com )

not found - O4 - HKLM\..\Run: [3sFg34j] dskistub.exe ( suspect, Air4Andy )

U - O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (windows messaging utility, see start-ups)

N - O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"

U - O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit ( for Everquest)

X - O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

not found - O4 - HKCU\..\Run: [iBwmRQHqR] mcdlbmsg.exe ( suspect )

 

In addition to the ones I have your name next to, it looks like you've got nwiz, too.

 

Keeping my fingers crossed!

 

Val

Share this post


Link to post
Share on other sites

Hey, me again. I rebooted before for good measure, still was ok. But somethime between 9:15 and now, It happened again. Something is not getting picked up here. I also deleted my temp files and ie files and the such, last time. Anyone got any advice? :scratchhead: Help?.?.?

Share this post


Link to post
Share on other sites

I Cleaned it all again laat night. this timemy Symantec AV picked up a telnet trojan. Cleaned it all again to see what happens. Has anyone looked at my hijack this log to see if it is clean? Thank you much , it would be appreciated...

Share this post


Link to post
Share on other sites

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

Share this post


Link to post
Share on other sites

AHHH! Back again! All of a sudden just now 10:10 am! Help! I haven't cleaned anything yet and here is my HiJackTHis log!

Obviously I can see a bunch of these have to go... but I have done that and they come back. Anyone see anything hidden that I can't? Or ideas? Thanks!!!

-Andy

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:15:26 AM, on 7/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Andrew Aken\Desktop\Tools\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {F69B9F2F-9BB6-458D-9674-F9CE89A2FB57} - C:\WINDOWS\System32\laihboh.dll

O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\RunOnce: [KB837272] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP

O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8115.5352199074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{70E4DF3F-3745-4CBF-BC2D-E5928F6598C4}: NameServer = 24.196.64.39,24.196.64.40

 

 

 

 

 

 

 

 

 

ALSO HERE IS MY FINDnFIX LOG! NOTHING HAS BEEN DONE YET TO REPAIR ANYTHING AND I WILL LEAVE MY SYSTEM ON TILL I HEAR BACK. THANKS!

 

 

 

 

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

Fri 07/02/2004

10:21am up 1 day, 13:14

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\COMMDDF.DLL +++ File read error

\\?\C:\WINDOWS\System32\COMMDDF.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

COMMDDF.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

commddf.dll Mon Jun 28 2004 3:30:44p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\COMMDDF.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group FOXBOX\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Mon Jun 28 2004 3:30:34p A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Mon Jun 28 2004 3:30:30p A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Mon Jun 28 2004 3:30:34p A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-28-2004 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x FOXBOX\Andrew Aken

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: FOXBOX\Andrew Aken

 

Primary Group: FOXBOX\None

 

 

 

»»»»»»Backups created...»»»»»»

10:22am up 1 day, 13:15

Fri 07/02/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 07-02-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-02-2004 winkey.reg

 

»»Performing 16bit string scan....

00001150: ~} vk @ f AppInit_DLLs G

00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ c o m m d d f . d l

000011D0:l h vk UDeviceNotSelectedTimeout

00001210: 1 5 P 9 0 vk ' zGDIProce

00001250:ssHandleQuota" vk Spooler2 y e s _

00001290: h 0 ` vk 5swapdisk vk

000012D0: . TransmissionRetryTimeout h 0 `

00001310: vk ' T USERProcessHandleQuotao ~}

00001350: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

00001390: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

000013D0: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

00001410: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

00001450: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

00001490: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

000014D0: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

00001510: ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~} ~}

00001550:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG¸ÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotao

 

**File C:\FINDnFIX\WIN.TXT

regf Pugf

Share this post


Link to post
Share on other sites

Excellent! Problem identified! ;)

 

Now simply this:

 

*Get ready to restart your computer:

- Open the FINDnFIX\Keys1\ Subfolder

-DoubleClick on the "FIX.bat" file.

-You'll be prompted to restart.

-Wait for the popup -Alert to restart your computer in 15 seconds.

-------------------------------------------------------------------------------

On restart, navigate to System32 folder:

-Locate and select the "COMMDDF.DLL" file (as it will be visible)

-Use the folder's top menu>edit>

move to folder...

-Select the C:\junkxxx as destination and move

the "COMMDDF.DLL" there.

--------------------------------------------------------------

When done,

-Go back to the main FINDnFIX folder:

-Run the "RESTORE.bat" file.

-It'll run, clean, and produce new log (log1.txt)

-Post it into your next reply!

-----------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Hey, ran the FindnFix thing: here are the results...

 

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Sat 07/03/2004

10:13am up 0 days, 0:02

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\junkxxx\COMMDDF.222

 

 

C:\JUNKXXX\

commddf.222 Mon Jun 28 2004 3:30:44p A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\COMMDDF.222

 

**File C:\JUNKXXX\COMMDDF.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- COMMDDF .222 0000E000 15:30.44 28/06/2004

 

rem replace this entire line with your given command.,..

 

 

 

 

--a-- W32i - - - - 57,344 06-28-2004 commddf.222

A C:\junkxxx\commddf.222

File: <C:\junkxxx\commddf.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\junkxxx\commddf.222 BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

FOXBOX\Andrew Aken:F

BUILTIN\Users:R

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x FOXBOX\Andrew Aken

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: FOXBOX\Andrew Aken

 

Primary Group: FOXBOX\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

File "C:\junkxxx\commddf.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x FOXBOX\Andrew Aken

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: FOXBOX\Andrew Aken

 

Primary Group: FOXBOX\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Mon Jun 28 2004 3:30:34p A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Mon Jun 28 2004 3:30:30p A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Mon Jun 28 2004 3:30:34p A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-28-2004 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

00001150: T vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' T USERProcessHandleQuotao h X

000012D0: vk z AppInit_DLLsout i z8

00001310:@ j z8H k D z8 l z8@ m z8 n z8@ o

00001350: z8@ p z8 q z8@ r $ z8 s 4 z8 t D

00001390: z8@ u T z8 Z z8 w |8@ x |8@ y p |8

000013D0:@ z |8@ |8@ | |8@ |8 ~ |8@

00001410: |8@ 0 |8@ @ |8@ z8@ z8@

00001450: z8@ $ z8@ 4 z8 z8 z8@ z8

00001490: z8@ T z8 t z8 z8@ z8@

000014D0: z8 z8 z8@ z8@ z8

00001510: z8 $ z8 D z8@ T z8 d z8@ t z8

00001550:@

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG¸ÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsoutÆ

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

000012F0: 01 00 00 00 01 00 7A 00 . 5F 44 4C 4C 73 6F 75 74 ......z. _DLLsout

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' T USERProcessHandleQuotao àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk € z AppInit_DLLsoutÆ

 

 

The Search for... is still there so... ???

Share this post


Link to post
Share on other sites

Great progress! :thumbsup:

 

Last step(s):

 

 

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip) and open your email client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

When done, restart your computer and

Delete and entire 'FINDnFIX' file+folder(s)

From C:\, and be sure the C:\junkxxx folder

was deleted (as part of the cleanup process)

 

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular,

CWShredder.exe and fully updated Ad-Aware!

 

Feel free to post follow up hijackthis log when done! ;)

Share this post


Link to post
Share on other sites

Hey, thanks! That alone seemed to work! So I ran CWShredder and it closed... it told me a version of CWS has tried to close the Shredder to try and safe itself, so it reopened CWShredder and a goofy string of letters to trick it. It sound the CWS.Searchx again. Removed. And Currently running Ad-Aware! Looks Good So far. Thanks. HiJackThis log soon to follow! (10 min)

Share this post


Link to post
Share on other sites

All looks clean! Here's This HiJack log. Thanks man! That worked! Can you tell me anymore info about FindnFix???

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:31:57 AM, on 7/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Andrew Aken\Desktop\Tools\HiJackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8115.5352199074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{70E4DF3F-3745-4CBF-BC2D-E5928F6598C4}: NameServer = 24.196.64.39,24.196.64.40

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0