Jump to content


Photo

I can't get rid of it even if I fix it!!


  • Please log in to reply
81 replies to this topic

#51 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:02 PM

you mean the one Dell sent me the "reinstallation XP including Service pack 1"?

#52 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:07 PM

That should be it. At the tops of the page is the link for the irc chatroom.
Use that and i am in the chatroom. you can use the java client. This one may get hairy to remove. it might be easier to talk you through removing this one.



#53 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:13 PM

I'd love to but it's not loading. I get the popup and then it's done with nothing happening , just a gray screen!!!!!!

#54 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:15 PM

ugh ok. have sun java installed?
www.java.com if you dont.



#55 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:18 PM

I am downloading. Then what??

#56 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:19 PM

after its installed try the chatroom again.



#57 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:45 PM

if you cant still get in try the instructions here with your xp cd. let me know if you get it installed.

http://www.pureperfo...wtip.asp?id=135
http://www.pureperfo...ails.asp?id=135



#58 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:46 PM

I think I'll make it. It's loading the Java Applet. We'll see...

#59 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:53 PM

Forget it. I can't get in the chat. I am installing the thing with the windows xp now.

#60 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:55 PM

ok let me know.. then i will have to give you instructions on how to use it and what to do.
can you print out instructions or write them down? you wont have internet access while we do this.
Also do you know your administrator account password?



#61 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:56 PM

if you dont know the password go here:
http://download.broadbandmedic.com/

and download the recovery console password fix and run it.



#62 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:56 PM

I can write them down. I don't think I have a password for administrator. Do I???
It's finished with the installation

#63 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 06:57 PM

ok download the above and run it.



#64 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 06:58 PM

Ok everything is ready, downloaded and installed. Now what?

#65 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 07:04 PM

ok after thats all done.

1. reboot
2. a bootmenu will appear. Chose the recovery console option.
3. it will load up and drop you to a dos prompt that will look like this:

c:\windows

type on that line:

cd system32
(hit enter)
the prompt should change to
c:\windows\system32

type on that line this command:

ren hlpl.dll hlpl.bad
(hit enter)

it should just go to the next prompt with no error message or anything.

Reboot to normal mode( you can shut the computer off and back on.

look in c:\windows\system32 again and see if you see hlpl.bad there.
If you do dont do anything yet.
Post back here.



#66 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 07:04 PM

reboot with xp cd in?

#67 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 07:08 PM

no you can take it out.



#68 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 07:20 PM

Ok I was cut in the middle. When I typed ren hlpl.dll hlpl.bad it said either: the parameter is not valid. I typed insted RENAME hlpl.dll hlpl.bad and it said the system cannot find the file or directory specified.

#69 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 07:24 PM

I don't believe this I just checked on System 32 and the one moment the hlpl.bad was there and the other it wasn't. I didn't touch it, I just stolled the bar of the window and when I got to it, it disappeared!!!

Edited by papavrn, 25 May 2004 - 07:25 PM.


#70 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 07:31 PM

I made it in the chat room

#71 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 07:59 PM

Where are you I 'm back with baaaad news

#72 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 25 May 2004 - 08:31 PM

You'r no longer on the chat so here is the result. When I typed the "attrib...." thing I got back a message that the parameter is not valid. When I typed "del hlpl.dll" and "del hlpl.bad" both times it said "no matching files". I hate it

#73 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 09:13 PM

ok run a new find-all from the dllfix and post it please.



#74 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 26 May 2004 - 06:42 AM

Ok here is the log from dllfix
CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Wed 05/26/2004
07:34 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\Papavramidou\Desktop\FixFolder\dllfix
Unlocking Locked File
Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
A file could not be found.

Here is a directory listing to post.


---------- DIR.TXT
05/02/2004 11:45 AM 157,696 rmoc3260.dll
05/02/2004 11:44 AM 5,632 pndx5032.dll
05/02/2004 11:44 AM 6,656 pndx5016.dll
05/02/2004 11:44 AM 278,528 pncrt.dll
04/14/2004 11:17 AM 53,248 unrar.dll
04/09/2004 04:53 PM 6,656 spmsg.dll
03/29/2004 08:48 PM 257,536 gdi32.dll
03/29/2004 08:48 PM 439,808 ipnathlp.dll
03/29/2004 08:48 PM 136,704 schannel.dll
03/29/2004 08:48 PM 548,352 rtcdll.dll
03/29/2004 08:48 PM 593,408 h323msp.dll
03/29/2004 08:48 PM 971,264 msgina.dll
03/29/2004 08:48 PM 306,176 netapi32.dll
03/29/2004 08:48 PM 667,648 lsasrv.dll
03/29/2004 08:48 PM 51,712 msasn1.dll
03/29/2004 08:48 PM 36,864 mf3216.dll
03/16/2004 01:44 PM 30,749 vbajet32.dll
03/16/2004 01:44 PM 1,507,356 msjet40.dll
03/16/2004 12:38 PM 614,431 mswstr10.dll
03/16/2004 12:38 PM 151,583 msjint40.dll
03/10/2004 12:59 PM 593,408 xpsp2res.dll
03/05/2004 09:16 PM 977,920 msdtctm.dll
03/05/2004 09:16 PM 499,712 clbcatq.dll
03/05/2004 09:16 PM 226,816 es.dll
03/05/2004 09:16 PM 1,183,744 ole32.dll
03/05/2004 09:16 PM 535,552 rpcrt4.dll
03/05/2004 09:16 PM 1,194,496 comsvcs.dll
03/05/2004 09:16 PM 263,680 rpcss.dll
03/05/2004 09:16 PM 499,200 comuid.dll
03/05/2004 09:16 PM 225,280 catsrv.dll
03/05/2004 09:16 PM 82,432 mtxoci.dll
03/05/2004 09:16 PM 594,944 catsrvut.dll
03/05/2004 09:16 PM 150,528 msdtcuiu.dll
03/05/2004 09:16 PM 110,080 clbcatex.dll
03/05/2004 09:16 PM 97,280 txflog.dll
03/05/2004 09:16 PM 64,512 colbact.dll
03/05/2004 09:16 PM 367,616 msdtcprx.dll
03/05/2004 09:16 PM 64,512 mtxclu.dll
03/02/2004 01:18 PM 593,408 INETCOMM.DLL
03/01/2004 01:55 PM 348,189 msxbde40.dll
03/01/2004 01:55 PM 552,989 msrepl40.dll
03/01/2004 01:55 PM 258,077 mstext40.dll
03/01/2004 01:55 PM 348,189 mspbde40.dll
03/01/2004 01:55 PM 241,693 msjtes40.dll
03/01/2004 01:55 PM 319,517 msexcl40.dll
03/01/2004 01:55 PM 512,029 msexch40.dll
03/01/2004 01:52 PM 358,976 msjetoledb40.dll
02/09/2004 10:10 PM 200,984 wuaueng.dll
02/09/2004 10:09 PM 183,064 iuengine.dll
02/09/2004 10:08 PM 115,480 iuctl.dll
02/06/2004 06:05 PM 588,288 WININET.DLL
01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL
01/21/2004 04:20 PM 484,352 URLMON.DLL
01/21/2004 04:19 PM 2,795,520 MSHTML.DLL
01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL
01/21/2004 03:18 PM 395,264 SHLWAPI.DLL
01/10/2004 06:37 AM 380,957 expsrv.dll
01/10/2004 06:36 AM 831,519 mswdat10.dll
01/10/2004 06:36 AM 315,423 msrd3x40.dll
01/10/2004 06:36 AM 421,919 msrd2x40.dll
01/10/2004 06:36 AM 213,023 msltus40.dll
01/10/2004 06:36 AM 53,279 msjter40.dll
01/02/2004 03:20 PM 466,944 capicom.dll

#75 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 07:01 AM

Sorry meant for you to run a find all report from option 1 when you start the start.bat



#76 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 26 May 2004 - 07:10 AM

Ok here's the new log

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/26/2004
08:08 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (143D:DAAA) - FS:NTFS clusters:4k
Total: 29 956 468 736 [28G] - Free: 22 744 215 552 [21G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
8:09am up 0 days, 0:33
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
10094 1280 norm Start Menu
10090 1280 norm CiceroUIWndFrame
20050 1280 norm _Shell_TrayWnd
10026 700 high NetDDE Agent
50258 2128 norm C:\WINDOWS\System32\cmd.exe
60414 304 norm MCI command handling window
103da 304 norm Animated BMP Sequence
103d8 304 norm Animated BMP
203e2 304 norm MSNMSGRPassportLogin
103e0 304 norm MSBLNetConn
1039a 304 norm DDE Server Window
20174 436 norm Notification Wnd for PNSetupMgr
1012a 1280 norm Connections Tray
101ac 436 norm RealPlayer
101aa 436 norm Audio Services Internal Messages
101a4 436 norm RMAEngineCommInternal
101a0 472 norm Music Match Tray Applet
1015a 424 norm Touchpad driver tray icon window
10158 424 norm Touchpad driver backward compatibility window
10156 424 norm Touchpad driver helper window
10152 444 norm DVDSentry
10150 412 norm Touchpad driver helper window
2012e 400 norm HkWndName
10128 1832 norm Support
100c6 1280 norm Power Meter
30040 1620 norm UnErase Process
100c4 1280 norm MS_WebcheckMonitor
20228 1280 norm SysFader
10092 1280 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83CA973E-8DED-480E-9497-0AD5F0B0C84E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access NIKI\Papavramidou
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access NIKI\Papavramidou




#77 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 07:20 AM

You know what? something you did got rid of the file.. Its no longer there.

Post a hijackthis log please.



#78 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 26 May 2004 - 07:22 AM

You think?? Please, please, please, please...

Logfile of HijackThis v1.97.7
Scan saved at 8:22:55 AM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis1977\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83CA973E-8DED-480E-9497-0AD5F0B0C84E} - C:\WINDOWS\System32\bgge.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD88753F-CB0F-45D4-A14E-8362BD288E91}: NameServer = 205.188.146.146

#79 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 07:24 AM

ok close all ie's and fix the following:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bgge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {83CA973E-8DED-480E-9497-0AD5F0B0C84E} - C:\WINDOWS\System32\bgge.dll (file missing)

click fix.

Post me a fresh hijackthis log again. That should be it.



#80 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 26 May 2004 - 07:41 AM

OK here is the last log from HJT

Logfile of HijackThis v1.97.7
Scan saved at 8:40:20 AM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\unzipped\hijackthis1977\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#81 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 08:00 AM

Please run your windows updates to help prevent being reinfected.

internet explorer/tools(at top of screen)/windows updates
Install all critical at least. After you reboot Recheck again as there may be more!

Also see the link in my signature:

how did I get infected in the first place?

Here is some software that will help with prevention:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Also a good firewall if you do not have one like Zonealarm in my signature will help protect you and monitor what is accessing the internet.

Also an antivirus if you do not have one already : http://www.grisoft.c...s_dwnl_free.php

All free programs.



#82 papavrn

papavrn

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 27 May 2004 - 04:00 PM

Shadowwar I got the hlpl.bad in the backup items in my Norton Quarantine!!!




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button