Jump to content


Photo

CWShredder doesn't work


  • This topic is locked This topic is locked
8 replies to this topic

#1 wisevlad

wisevlad

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 May 2004 - 11:02 AM

Dear All,

My browser has been hijacked by CWS, and I write to ask you help on this.
Since I had this problem before, I knew the cwshredder is the best out there to cure this disease.

So I downloaded the latest version of CWShredder and ran it (after running Adware, SpyBot, kill2me, and Spy sweeper).
The dialogue box said that I have a CWS smartserach variant which closes the CWShredder and it seemed that your program knows how to work around this.

Everything worked fine (CWS bootconf was removed, and the program said no other variants were identified) until 'fix' reached 'CWS Smartsearch'. After a second of hanging, the program was closed saying that unexpected error happens so the program is closed by windows (It was not a 'missing DLL' error you mentioned in your site).

Then I looked up forums and found that I need to run another program first
(CWS smartsearch killer), so I tried that. But the program said that I have no infection.

Although I tried with these combination tons of times (CWS smartsearch killer first, then CWS shredder next), it kept running into the same error - no infection found by smartsearch killer, CWShredder closed at removing cws smartsearch.

I have no clue what I did wrong. Still the browser is being redirected to some stupid sites at every 3-5 minutes (and even so when I just turned my machine on and not use browser). Hijackthis log doesn't show any suspicious procedures - most of them are what I installed from legitimate source (such as freechal.com or nprotect.com). Only thing that I fixed after scanning was 'ieautosearch' part, but those three lines keep appearing even after I fixed it.
Could anyone please help me out on this? It has been a bix pain in the back for almost a week... For your info, I attach the log file from hjt.

C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Luvin\Desktop\HijackThis.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Luvin\Application Data\Mozilla\Profiles\default\9ptfi01h.slt\prefs.js)
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O4 - HKLM\..\Run: [HPIJetSend] C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FcMessenger] C:\Program Files\Freechal Messenger\FcMessenger.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: OpenOffice.org 1.0.2.lnk = C:\Program Files\Openoffice\program\quickstart.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Freechal Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Dialpad KR Java Applet - http://www.dialpad.c.../phone/vscp.cab
O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://rsvweb.asiana...INIplugin20.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://asiana.conten...le/MyLinker.cab
O16 - DPF: {16B21577-3ABA-49AA-96F9-811B7BCFA9CA} (Dialpad KR VegaLoader Class) - http://www.dialpad.c...hone/helper.cab
O16 - DPF: {1E1F1304-A717-4B26-A907-DBD5A39060DD} (SJAX2 Control) - http://msg.seenjoy.com/cab/SJAX2.cab
O16 - DPF: {2A41F8DA-2D88-4ED4-BDD7-A78C88532D9F} (SJDownUtilX Control) - http://www.seenjoy.c...SJDownUtilX.cab
O16 - DPF: {450E1410-102D-429B-8716-3F30D6C56502} (iWalletSg Class) - http://www.commerce-...alletSingle.cab
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {5EA05469-949D-4B37-8B46-2D32D95691FC} (SJDownloader) - http://www.seenjoy.c...JDownloader.cab
O16 - DPF: {61D91A12-0032-47CD-B4D2-44817FFB3145} (FcActiveUpload.Upload) - http://home.freechal...ctiveUpload.CAB
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.skte...niMasPlugin.cab
O16 - DPF: {7A95C123-295D-408C-9699-873A4C9873AF} (FcCommCtrl.FcUpload) - http://home.freechal.../FcCommCtrl.CAB
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.soft.../xw_install.cab
O16 - DPF: {920AB56F-933F-4469-A779-E228554CBDA2} (FcCommCtrl.PDSDropBox) - http://home.freechal.../FcCommCtrl.CAB
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://update.nprote...eb/npkxsite.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownloa...yfirewall20.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8123.3362037037
O16 - DPF: {A4CC2CFF-D8DE-481E-81FC-B51186283282} (PZLunch Control) - http://down01.freech.../PCZiggyCtl.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote...ungcard/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE3B2990-3E0A-40C4-BC69-B61E5F2776E6} (FreechalOn Class) - http://login.freecha...on/FcOnCtl2.cab


Thank you so much for your help in advance.

Best,

Desperate Young

#2 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 16 May 2004 - 05:45 PM

Hi wisevlad
Can you post a complete log including the header.We need to make sure that nothing is in there that shouldn't be.

#3 wisevlad

wisevlad

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 May 2004 - 12:29 AM

Hello OlTramp,

Thank you for the reply. Actually the following is the complete(?) hijackthis log of my system now. It seems to me that I have no suspicious components, but I am not that confident. I look forward to your precious helps...


Logfile of HijackThis v1.97.7
Scan saved at 10:26:42 PM, on 5/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Openoffice\program\soffice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Luvin\Desktop\HijackThis.exe

N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Luvin\Application Data\Mozilla\Profiles\default\9ptfi01h.slt\prefs.js)
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O4 - HKLM\..\Run: [HPIJetSend] C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FcMessenger] C:\Program Files\Freechal Messenger\FcMessenger.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: OpenOffice.org 1.0.2.lnk = C:\Program Files\Openoffice\program\quickstart.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Freechal Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Dialpad KR Java Applet - http://www.dialpad.c.../phone/vscp.cab
O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://rsvweb.asiana...INIplugin20.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://asiana.conten...le/MyLinker.cab
O16 - DPF: {16B21577-3ABA-49AA-96F9-811B7BCFA9CA} (Dialpad KR VegaLoader Class) - http://www.dialpad.c...hone/helper.cab
O16 - DPF: {1E1F1304-A717-4B26-A907-DBD5A39060DD} (SJAX2 Control) - http://msg.seenjoy.com/cab/SJAX2.cab
O16 - DPF: {2A41F8DA-2D88-4ED4-BDD7-A78C88532D9F} (SJDownUtilX Control) - http://www.seenjoy.c...SJDownUtilX.cab
O16 - DPF: {450E1410-102D-429B-8716-3F30D6C56502} (iWalletSg Class) - http://www.commerce-...alletSingle.cab
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {5EA05469-949D-4B37-8B46-2D32D95691FC} (SJDownloader) - http://www.seenjoy.c...JDownloader.cab
O16 - DPF: {61D91A12-0032-47CD-B4D2-44817FFB3145} (FcActiveUpload.Upload) - http://home.freechal...ctiveUpload.CAB
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.skte...niMasPlugin.cab
O16 - DPF: {7A95C123-295D-408C-9699-873A4C9873AF} (FcCommCtrl.FcUpload) - http://home.freechal.../FcCommCtrl.CAB
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.soft.../xw_install.cab
O16 - DPF: {920AB56F-933F-4469-A779-E228554CBDA2} (FcCommCtrl.PDSDropBox) - http://home.freechal.../FcCommCtrl.CAB
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://update.nprote...eb/npkxsite.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownloa...yfirewall20.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8123.3362037037
O16 - DPF: {A4CC2CFF-D8DE-481E-81FC-B51186283282} (PZLunch Control) - http://down01.freech.../PCZiggyCtl.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote...ungcard/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE3B2990-3E0A-40C4-BC69-B61E5F2776E6} (FreechalOn Class) - http://login.freecha...on/FcOnCtl2.cab

Edited by wisevlad, 17 May 2004 - 12:30 AM.


#4 ianstar

ianstar

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 May 2004 - 10:53 AM

I am having this same exact problem also. Ran Adaware, Spybot and CWS smartsearch killer all before trying to run CWShredder (version 1.57.0). CWShredder runs through the first few entries and then when it gets to CWS.Smartsearch it crashes. I am running Win 200 SP4 with all my updates. I can post my Hijackthis log in another post if anyone thinks it will help. Thanks in advance.

#5 TopDog

TopDog

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 May 2004 - 04:49 PM

Hello first post.

Im having a simular problem, not exactly the same. I keep running CWShredder, it says it removes Smartsearch but pest patrol keeps finding CWS infection. I let Pest Patrol kill the infection and it also kill's my connection to the internet. My computer is slowing down to a crawl, but my browser is not being redirected. I have run all the programs mentioned in the above posts plus dllfix.exe and find-all. Everything says there is no infection. But then when I run the system my hard drive is being hammered, everything is slow. I run CWShredder again and it says it removes SmartSearch again. :blink:

Im just going to wipe my hard drive in the next day or two. I just posted this in case someone wants to see logs from anything I ran, maybe it could help someone else. :unsure:

Thanks.....

#6 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 18 May 2004 - 08:50 PM

Hi wisevlad,
Close all browsers and rerun HJT. Check and click fix checked for the following-
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
Do you know what this is? Is it something you downloaded?
O4 - HKCU\..\Run: [FcMessenger] C:\Program Files\Freechal Messenger\FcMessenger.exe
As for your 016 items I can't be sure. Problem is I can't get any info on most of them. Perhaps you know. If not check and fix them also. Any that you need will be downloaded the next time you visit that site.

#7 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 18 May 2004 - 08:51 PM

Top Dog and Ianstar-
Please start a thread of your own. It is to hard trying to fix multiple posters in one thread.
Go here for Hijack This
Unzip,update and scan. The scan button will turn into a save log button. Save it,copy and paste it into a thread of your own. Don't fix anything yet because most of it is needed.Make sure you place HJT into a folder of it’s own. You may need to restore an item and you will not be able to from a temp. dir

#8 TopDog

TopDog

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 May 2004 - 08:55 PM

Roger that - my apologies.

#9 wisevlad

wisevlad

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 May 2004 - 02:55 AM

Hi OlTramp,

Thanks for your reply !!! I have been looking forward to hearing from you.. ;)
The followings are my replies to your questions and some updates:

1) In fact, I have kept removing those three "autosearch" part whenevern I scanned using hijackthis. But it appears again when I reboot.

2) As for
O4 - HKCU\..\Run: [FcMessenger] C:\Program Files\Freechal Messenger\FcMessenger.exe,
this is the messenger program that I downloaded from the legitimate source. Also, many of O16 parts are all programs that I know. I've been using these for more than a year without any problem, so I don't think these are the source of cws.

3) Without your reply, I deleted some suspicisous folders in registry (in root). They had names like 'adbar....' and didn't seem like a good(?) one. Although this deleting was not extensive, new-explorer-poping and redirecting stopped after this for a while. Unfortunately, this problem got back again after a while (after turning on the machine again).

Well, actually I used Netscape after deleting them because I couldn't log in any of webmail accounts of mine such as yahoo using MS explorer. Even though I typed in the right id and password, the browser didn't let me log in like I didn't type anything. So I used Netscape and it was all right while I used Netscape.
So even I could download Mozilla just in case that I have a problem with Netscape (although they are based on same engine(?), as I know of). After using a couple of hours without being annoyed by those stupid problems, I turned off the machine.

4) When I turned on machine again about half an hour ago, cws stroke back. It even appeared when I used Netscape as well as Mozilla !!
<_<
I have no clue what to do. CWShredder still crashed at CWS.smartsearch, and other programs don't identify a problem....
:(

5) I found some suspicious dll files with pv and dllfix. But I couldn't delete it. Whenever I tried to get rid of it, the dialogue box popped up saying 'some programs are using it'. Could you let me know how I can delete these suspicious dlls? I attach two logs from pv and dllfix for your info.

[PV log]

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
ole32.dll 771b0000 1114112 C:\WINDOWS\system32\ole32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
SHDOCVW.dll 71700000 1343488 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2723.100 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
USERENV.dll 52880000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.15 (xpclnt_qfe.010827-1803) Userenv
NETAPI32.dll 71c20000 323584 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
RASAPI32.dll 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows™ Telephony API Client DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
WININET.dll 63000000 606208 C:\WINDOWS\system32\WININET.dll 6.00.2718.400 Internet Extensions for Win32
MSGINA.dll 75970000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources


[dllfix log]

--===**'FIND-ALL' VERSION 3, 5/11**===--


Wed May 19 00:54:01 2004 -- Results:

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (48C2:6974) - FS:NTFS clusters:4k
Total: 25 169 321 984 [23G] - Free: 15 719 923 712 [15G]


Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\AITIVEDS.DLL +++ File read error
\\?\C:\WINDOWS\System32\AITIVEDS.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

I really hope you (or other nice folks) can save me from this disaster.

Thanks tons in advance.

wisevlad




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button