• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
papavrn

I can't get rid of it even if I fix it!!

82 posts in this topic

Hi! I need help cause I have a hijack thing! This has been going for a long time. I run adware, csw, spybot. Each time adware and csw find it and clean it but after a couple of times a reboot it comes up again!!

Here is my log from hijack:

Logfile of HijackThis v1.97.7

Scan saved at 7:20:34 PM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\unzipped\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7340150D-0FB2-43FE-8787-CFF0114999D5} - C:\WINDOWS\SYSTEM32\xkniao.dll

O2 - BHO: (no name) - {85B13CE4-DBB2-4A8C-BF67-D28E4410B8C5} - C:\WINDOWS\System32\gfgb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD88753F-CB0F-45D4-A14E-8362BD288E91}: NameServer = 205.188.146.146

 

Please help me out. I HATE IT!!!

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Share this post


Link to post
Share on other sites

Use the Registrar Lite program again. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Rename the Windows key in the left pane to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

 

"C:\WINDOWS\System32\hlpl.dll", hit 'apply' and 'ok' to set.

 

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the hlpl.dll in C:\WINDOWS\System32.

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\hlpl.dll

Copy and paste this into the 'To' box: C:\Junk\hlpl.dll

 

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, re-run CWShredder, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the next steps.

Share this post


Link to post
Share on other sites

Hmmm... OK. Let's clean up manually and see if it comes back.

 

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gfgb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {7340150D-0FB2-43FE-8787-CFF0114999D5} - C:\WINDOWS\SYSTEM32\xkniao.dll

O2 - BHO: (no name) - {85B13CE4-DBB2-4A8C-BF67-D28E4410B8C5} - C:\WINDOWS\System32\gfgb.dll

 

Reboot when done, rescan with HJT and post a new log here for a final check over.

Share this post


Link to post
Share on other sites

ok, Here's the log

Logfile of HijackThis v1.97.7

Scan saved at 9:32:12 AM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\unzipped\hijackthis1977\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ok here's the RIGHT log

 

Logfile of HijackThis v1.97.7

Scan saved at 9:37:00 AM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\unzipped\hijackthis1977\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Have AAW fix whatever it found. There's no evidence of it in your log now - if it's still present it will come back and we'll have take a different approach. Let me know.

Share this post


Link to post
Share on other sites

Try this. Download 'Dllfix.exe' from here. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

 

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter. Let the program run. When finished, press 'E' to exit. Open the DLLFix folder. Post the contents of Output.txt in this thread.

Share this post


Link to post
Share on other sites

Ok here it is:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Sun 05/23/2004

09:40 AM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (143D:DAAA) - FS:NTFS clusters:4k

Total: 29 956 468 736 [28G] - Free: 22 758 301 696 [21G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

9:40am up 0 days, 0:43

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\HLPL.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLPL.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

501b0 1296 norm SysFader

20222 2940 norm SysFader

20086 1296 norm Start Menu

1007c 1296 norm CiceroUIWndFrame

30036 1296 norm _Shell_TrayWnd

10026 700 high NetDDE Agent

b01cc 3600 norm C:\WINDOWS\System32\cmd.exe

5022c 2940 norm SWI Forums -> I can't get rid of it even if I fix it!! - Microsoft Internet Exp

701c6 1296 norm Desktop

40204 2940 norm MCI command handling window

303f4 2672 norm EchoPortManagerWnd

2036c 2940 norm DDE Server Window

20256 2120 norm Xprt Message Window

201f8 2120 norm AXTimer

30188 2120 norm DDE Server Window

103be 2672 norm Animated BMP Sequence

103bc 2672 norm Animated BMP

103da 2672 norm MCI command handling window

103c6 2672 norm MSNMSGRPassportLogin

103c4 2672 norm MSBLNetConn

1037e 2672 norm DDE Server Window

200bc 1800 norm Notification Wnd for PNSetupMgr

1019c 1800 norm RealPlayer

1014e 1296 norm Connections Tray

1014a 1748 norm HkWndName

200c4 1860 norm Music Match Tray Applet

1012c 1772 norm Touchpad driver tray icon window

200ce 1296 norm Power Meter

200c2 1296 norm MS_WebcheckMonitor

100c0 1736 norm UnErase Process

100be 1772 norm Touchpad driver backward compatibility window

100b8 1772 norm Touchpad driver helper window

100b6 1812 norm DVDSentry

100aa 1764 norm Touchpad driver helper window

100b4 1800 norm Audio Services Internal Messages

100ae 1800 norm RMAEngineCommInternal

100a2 1700 norm Support

10220 1296 norm SysFader

40184 2120 norm America Online provided by Dell®

1007e 1296 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E97A8668-3509-48E7-8ACF-AAD4D9676F9B}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{53A318BF-3FA2-4D7A-A512-6E752E396C0F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{53A318BF-3FA2-4D7A-A512-6E752E396C0F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access NIKI\Papavramidou

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access NIKI\Papavramidou

 

 

Share this post


Link to post
Share on other sites

Open the DLLFIX folder and double click on Start.bat. At the main menu, press '2' (Run Fix) and enter. At the second menu, press '1' (Enter DLL Name Manually) and enter.

 

At the prompt, enter: hlpl.dll

 

Your system will reboot in 15 seconds and begin the fix. When finished, there will be a log (log.txt) in the dllfix folder. Paste it into your next reply.

Share this post


Link to post
Share on other sites

ok there it is:

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Sun 05/23/2004

09:48 AM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

Deleting temp value

 

The operation completed successfully

 

Running from C:\Documents and Settings\Papavramidou\Desktop\dllfix

Processing File Manually

C:\WINDOWS\system32\hlpl.dll

Md5 Check of C:\WINDOWS\system32\hlpl.dll

 

Md5 tested As D41D8CD98F00B204E9800998ECF8427E

File was found but md5 didnt match

MD5 was: D41D8CD98F00B204E9800998ECF8427E

Resetting file attributes

Processing ACL of: <\\?\C:\WINDOWS\system32\hlpl.dll>

 

SetACL finished successfully.

File was zipped for submission to Shadowwar

File is located at C:\Documents and Settings\Papavramidou\Desktop\dllfix\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

Share this post


Link to post
Share on other sites

Don't panic :)

 

See if you can now delete C:\WINDOWS\system32\hlpl.dll

 

If not try this with Winfile:

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Open up Winfile, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\hlpl.dll

Copy and paste this into the 'To' box: C:\Junk\hlpl.dll

 

Then click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

 

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done, rescan with HJT and post a new log here so that any remnants can be removed manually.

Share this post


Link to post
Share on other sites

Daemon the WinFile thing didn't work. I got the same error message saying:

File Manager cannot move C:\WINDOWS\System32\hlpl.dll :There are no more files

What can I do?

Share this post


Link to post
Share on other sites

Carry on with the rest of the recommendations.

 

Using Explorer, do a search for hlpl.dll and let me know where it is located.

Share this post


Link to post
Share on other sites

I did the ss&d and it only found dialer and Windows DOI (or something). Now I am running Ad-aware. Usually Ad-aware finds it, I clean it and my log is clean for the rest of the day. But afterwards I get infected again... Hopeless

Share this post


Link to post
Share on other sites

OK I did everything and here is the log

 

Logfile of HijackThis v1.97.7

Scan saved at 4:31:32 PM, on 5/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\unzipped\hijackthis1977\HijackThis.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {26462E81-6EC8-4AA2-AAE7-F9A3B7CB4C6B} - c:\windows\system32\jpdcca.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

With only HJT running (print this page), have it fix:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jpdcca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {26462E81-6EC8-4AA2-AAE7-F9A3B7CB4C6B} - c:\windows\system32\jpdcca.dll (file missing)

 

Reboot when done. If successful, the problem will not come back. Let me know.

Share this post


Link to post
Share on other sites

Daemon I did it all and I thing it's fixed (the ad-aware found nothing at the end).

THANK YOU SO MUCH!!!

NIki

Share this post


Link to post
Share on other sites

You're welcome - glad to help :D

 

I'll leave this open for a day or so - could you post back and confirm everything is still OK?

Share this post


Link to post
Share on other sites

I don't know what's wrong. That's why I told you it's coming back even if I fix it. That's what it always does: it gives the illusion that it's gone but it's not. It's stubborn and I am currently at the very edge...

Edited by papavrn

Share this post


Link to post
Share on other sites

It's back because we never got rid of the hidden hijacker. This one is a real pain - I have had instances like yours when a clean-up was all that was required, however, for you to be free of this we have to get rid of that file.

 

Shadowwar has updated his fix. Go here and download the latest version. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

 

At the main menu, press '2' (Run Fix) and enter. At the second menu, press '1' (Enter DLL Name Manually) and enter.

 

At the prompt, enter: hlpl.dll

 

Your system will reboot in 15 seconds and begin the fix. When finished, there will be a log (log.txt) in the dllfix folder. Paste it into your next reply with a new HJT log.

Share this post


Link to post
Share on other sites

The dllfix didn't find it. It says:

the system was unable to find the specified registry key or value. That's a good error message.

Afterwards, I run HJT and here's the log

Logfile of HijackThis v1.97.7

Scan saved at 2:58:35 PM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\System32\cmd.exe

C:\WINDOWS\system32\reg.exe

C:\unzipped\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {83CA973E-8DED-480E-9497-0AD5F0B0C84E} - C:\WINDOWS\System32\bgge.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Apparently, it's the same as in the previous times, so manually deleting the logs will not do. What do we do?? I'm totally panicked

Share this post


Link to post
Share on other sites

Don't panic - this is an irritation rather than something harmful. Could you post the log.txt

 

Open the DLLFIX folder and double click on Start.bat.

 

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter. Let the program run. When finished, press 'E' to exit. Open the DLLFix folder. Post the contents of Output.txt in this thread.

 

In the meantime, I will contact shadowwar and bring his attention to this thread - he may be able to see something I am missing on why we are struggling to nail this one.

Share this post


Link to post
Share on other sites

Thank you sooo much. Here's the output contents:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Mon 05/24/2004

03:21 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (143D:DAAA) - FS:NTFS clusters:4k

Total: 29 956 468 736 [28G] - Free: 22 928 945 152 [21G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

3:21pm up 0 days, 1:16

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\HLPL.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLPL.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

20078 1312 norm Start Menu

10074 1312 norm CiceroUIWndFrame

30030 1312 norm _Shell_TrayWnd

80258 3824 norm SysFader

10026 700 high NetDDE Agent

701e0 3824 norm SWI Forums -> I can't get rid of it even if I fix it!! - Microsoft Internet Exp

20410 3528 norm C:\WINDOWS\System32\cmd.exe

60376 3824 norm DDE Server Window

5029a 2692 norm Xprt Message Window

60290 2692 norm AXTimer

a014a 2692 norm DDE Server Window

2012a 1660 norm Notification Wnd for PNSetupMgr

101a0 1660 norm RealPlayer

10150 1312 norm Connections Tray

1014e 1572 norm HkWndName

1012c 1616 norm Touchpad driver tray icon window

200d0 1756 norm Music Match Tray Applet

100c4 1312 norm Power Meter

100c2 1312 norm MS_WebcheckMonitor

100c0 1808 norm UnErase Process

100be 1616 norm Touchpad driver backward compatibility window

100ba 1616 norm Touchpad driver helper window

100b8 1660 norm Audio Services Internal Messages

100b2 1660 norm RMAEngineCommInternal

100aa 1672 norm DVDSentry

100a2 1588 norm Touchpad driver helper window

100a0 1548 norm Support

2021c 1312 norm SysFader

401a8 3252 norm HijackThis - v1.97.7

401ae 3252 norm HijackThis

d0144 2692 norm America Online provided by Dell®

10076 1312 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CA973E-8DED-480E-9497-0AD5F0B0C84E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{CA33510E-7C0D-42F7-9116-FFB9BA8F874E}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{CA33510E-7C0D-42F7-9116-FFB9BA8F874E}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access NIKI\Papavramidou

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access NIKI\Papavramidou

 

 

Share this post


Link to post
Share on other sites

From reading this thread, I think he missed finding the correct value for that appinit_dll part. I wonder if he should go back and look that value up again just to be sure.

Share this post


Link to post
Share on other sites

looks like this may be a new variant. Can you send me the submit.zip please?

 

Also i need to see the full logs.txt if you can post that also please?

Edited by shadowwar

Share this post


Link to post
Share on other sites

I don't know what the submit.zip is. But as far as the logs are concerned, here is the one from HJT

Logfile of HijackThis v1.97.7

Scan saved at 5:37:17 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\carpserv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\unzipped\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {83CA973E-8DED-480E-9497-0AD5F0B0C84E} - C:\WINDOWS\System32\bgge.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD88753F-CB0F-45D4-A14E-8362BD288E91}: NameServer = 205.188.146.146

 

Thank you for replying. I thought I was a lost case!!!

Share this post


Link to post
Share on other sites

Ok. The "logs" txt says that

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Mon 05/24/2004

02:56 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

Value Appinit_Dlls exists, overwrite(Y/N)?

Share this post


Link to post
Share on other sites

As I said to Daemon before, and this may sound to you really stupid, something suspicious is going on with the messenger. Everytime I press on the link leading to my e-mail inbox, I get re-infected, or the hijack activates all of a sudden. I don't know if this makes sense but it seemed weird and I thought you should know

Share this post


Link to post
Share on other sites

Well that should not of happened. This seems more and more like a new variant. I just updated the dllfix. Was this rebooting on its own? Can you delete that copy and redownload please.

After thats done. run option 2 than option 2 to let it search. it should reboot on its own and give a 15 second countdown.

Let it reboot. After its done running after the reboot the logs.txt should open. Please paste it here again.

Share this post


Link to post
Share on other sites

Thank you I am downloading and I'll post the logs. It does not reboot, it only changes my homepage to "search", it does this thing with my messenger, it has popups for spyware cleaning and I think it kind of affects my laptop (e.g I can't see some images, error messages, etc.)

Share this post


Link to post
Share on other sites

yes i know.. what it has. infected myself many of times testing. ;) after thats extracted/installed double click start.bat again in the dllfix folder. run option 2 than run the second option 2..

It should after its done pop a msgbox rebooting in 15 seconds.

Let it reboot.

 

it should continue running after the reboot as windows is loading.

Edited by shadowwar

Share this post


Link to post
Share on other sites

Ok I did it all and here are the logs:

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 05/25/2004

06:40 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

Deleting Filter text

Running from C:\Documents and Settings\Papavramidou\Desktop\FixFolder\dllfix

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Scanning For main hijacker.

Found Main Hijacker Dll:C:\WINDOWS\System32\BGGE.DLL

Md5 tested As 0758CF635DF08AC381962F74832B6484

MD5 Matched known Baddie

Deleting Hijacker Dll: C:\WINDOWS\System32\BGGE.DLL

Succesfully Deleted

Scanning For main hijacker.

Scanning for Hidden Dll in system32 1st pass

File was not found on first Pass.

 

Scanning for Hidden Dll in system32 2nd pass

File found was: C:\WINDOWS\System32\HLPL.DLL

 

Md5 Check of C:\WINDOWS\System32\HLPL.DLL

 

Md5 tested As D41D8CD98F00B204E9800998ECF8427E

File was found but md5 didnt match

MD5 was: D41D8CD98F00B204E9800998ECF8427E

Resetting file attributes

Processing ACL of: <\\?\C:\WINDOWS\System32\HLPL.DLL>

 

SetACL finished successfully.

File was zipped for submission to Shadowwar

File is located at C:\Documents and Settings\Papavramidou\Desktop\FixFolder\dllfix\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup

Share this post


Link to post
Share on other sites

ok check the dllfix folder. the submit.zip check the size please?

 

also can you see this file now?

C:\WINDOWS\System32\HLPL.DLL

 

navigate to the folder and look if its there.

Edited by shadowwar

Share this post


Link to post
Share on other sites

The size is 2K. I don't completely understand what you want me to do. I unzipped it but at the end the only thing was the log.txt

And I checked the C:\WINDOWS\System32\ and it's not there. I searched and it just doen't exist

Share this post


Link to post
Share on other sites

thats fine. do you have your xp cd? we need to boot to recovery console and see if we can get to it that way.

Share this post


Link to post
Share on other sites

this file actively hides itself. thats the main problem with dealing with it.

So if it shows we got it to stop running.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0