• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
the last ronin

CWS/Searchx is killing me!!!

6 posts in this topic

Can somebody help me with this? I have CWS/searchx and can't get rid of it. This has been going on for months now. any time I open Int Exp, or anything that uses it, it comes back.

I use cwsshredder and Adaware yet the monster remains.

Please help.

Here is my Hijack this log.

Logfile of HijackThis v1.97.7

Scan saved at 12:50:30 PM, on 7/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Program Files\NetAssistant\bin\mpbtn.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: DailyToolbar - {8333C319-0669-4893-A418-F56D9249FCA6} - C:\WINDOWS\Downloaded Program Files\DailyToolbar.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [system Update] C:\WINDOWS\System\wininet.exe

O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\wordi00027\5720281.exe -remove

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: IEToolbarCab - http://download.dailytoolbar.com/DailyToolbarAff.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27173f19b42d52...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5CE93020-1A98-429A-BD93-58E1B05161D1}: NameServer = 206.47.244.113 206.47.244.91

 

thanks

Share this post


Link to post
Share on other sites

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

 

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

 

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done. Rescan with HJT and post a new log here

Share this post


Link to post
Share on other sites

Here is my second log as requested

 

Logfile of HijackThis v1.97.7

Scan saved at 8:13:09 PM, on 7/31/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Program Files\NetAssistant\bin\mpbtn.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {B9AFDCDB-8807-4B34-8911-2E63A1880ED1} - c:\recycler\s-1-5-21-823518204-1202660629-682003330-1003\dc1212.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: DailyToolbar - {8333C319-0669-4893-A418-F56D9249FCA6} - C:\WINDOWS\Downloaded Program Files\DailyToolbar.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [system Update] C:\WINDOWS\System\wininet.exe

O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\wordi00027\5720281.exe -remove

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: IEToolbarCab - http://download.dailytoolbar.com/DailyToolbarAff.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27173f19b42d52...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5CE93020-1A98-429A-BD93-58E1B05161D1}: NameServer = 206.47.244.113 206.47.244.91

O17 - HKLM\System\CS1\Services\Tcpip\..\{5CE93020-1A98-429A-BD93-58E1B05161D1}: NameServer = 206.47.244.113 206.47.244.91

Share this post


Link to post
Share on other sites

Could you click here to download the latest version of HijackThis. Doubleclick the file, click Unzip and it will save the application to C:\HijackThis. Run it from there to scan your computer.

 

With only HJT running, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)

O2 - BHO: (no name) - {B9AFDCDB-8807-4B34-8911-2E63A1880ED1} - c:\recycler\s-1-5-21-823518204-1202660629-682003330-1003\dc1212.dll (file missing)

O3 - Toolbar: DailyToolbar - {8333C319-0669-4893-A418-F56D9249FCA6} - C:\WINDOWS\Downloaded Program Files\DailyToolbar.dll

O4 - HKCU\..\Run: [system Update] C:\WINDOWS\System\wininet.exe

O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\wordi00027\5720281.exe -remove

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27173f19b42d52...ip/RdxIE601.cab

 

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

 

C:\WINDOWS\System\wininet.exe

c:\program files\GlobalDialer\ <-- folder

 

Reboot back into Normal Mode when done. Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

I did as you said. I safe booted but could not find the following

C:\system\wininet.exe

or, C:\programfiles\globaldialer\ <--folder.

Here is my FindnFix log. It is BIG

 

Fri 13 Aug 04 23:38:03

 

»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»

 

*System:

Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)

*IE version:

6.0.2800.1106 SP1-Q330994-Q832894-Q837009-Q831167-Q823353-Q867801

 

The type of the file system is NTFS.

 

__________________________________

!!*Creating backups...!!

__________________________________

 

*Local time:

Friday, August 13, 2004 (8/13/2004)

11:38 PM, Eastern Daylight Time

*Uptime:

23:38:04 up 0 days, 0:19:33

 

----------------------------------------------------

»»Member of...: ("ADMIN" logon + group match required!)

 

User is a member of group USER-K6GIZJ9Y0J\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Group BUILTIN\Administrators matches list.

Group BUILTIN\Users matches list.

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

User: [uSER-K6GIZJ9Y0J\Owner], is a member of:

 

BUILTIN\Administrators

\Everyone

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided and registry scan should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove

without attempting to confirm it's nature!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!

If in doubt, always search the file(s) and properties according to criteria!

 

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

 

______________________________________________________________________________

***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***

______________________________________________________________________________

 

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 8/14)»»»»»»»»»»»»»»»»

 

»»»*»»»*Use at your own risk!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\SYSTEM32\HLPLCJB.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLPLCJB.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

HLPLCJB.DLL Read Error!

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»»»»(*5*)»»»»»

 

»»»»»(*6*)»»»»»

fgrep: error reading input

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

*List of files specs that match the criteria:

*Note: Not all files listed here are infected!

___________________________________________________________________________

Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

9. Admparse Dll 57,344 . . . . A 3-31-03 8:00 am

180. Dmcompos Dll 57,344 . . . . A 3-31-03 8:00 am

378. Jgmd400 Dll 35,840 . . . . A 3-31-03 8:00 am

623. Mssign32 Dll 35,840 . . . . A 3-31-03 8:00 am

669. Narrhook Dll 35,840 . . . . A 3-31-03 8:00 am

190. Dmserver Dll 21,504 . . . . A 3-31-03 8:00 am

285. Hlplcjb Dll 21,504 . . . . A 2-20-04 6:07 pm

355. Ipxrip Dll 21,504 . . . . A 3-31-03 8:00 am

1105. Wsock32 Dll 21,504 . . . . A 3-31-03 8:00 am

 

____________________________________________________________________________

*By size and date...

 

 

No matches found.

 

No matches found.

 

C:\WINDOWS\SYSTEM32\

hlplcjb.dll Fri Feb 20 2004 6:07:56p A.... 21,504 21.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 21,504 bytes 21.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\HLPLCJB.DLL

SNiF 1.34 statistics

 

Matching files : 1 Amount in bytes : 21504

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

 

BHO search...

 

fgrep: error reading input

 

 

No matches found.

 

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

 

»»Checking for AppInit_DLLs (empty) value...

________________________________

!"AppInit_DLLs"=""!

 

Value does not match

________________________________

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs =

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Performing string scan....

00001150: u vk @ f AppInit_DLLs G

00001190: c : \ w i n d o w s \ s y s t e m 3 2 \ h l p l c j b . d l

000011D0:l l l h vk UDeviceNotSelectedTimeout

00001210: 1 5 x 9 0 =t vk ' zGDIProce

00001250:ssHandleQuota" vk Spooler2 y e s _

00001290: h 0 ` vk 5swapdisk vk

000012D0: . TransmissionRetryTimeout h 0 `

00001310: vk ' 0 USERProcessHandleQuota ^

00001350: = E t L$ L$ L$ S SQP D$ G D$ e D$ A \$ D$ P D$ I D$ 3

00001390:D$ 2 \$ D$ u D$ p D$ p D$!o D$"r D$$I D$%n D$&f D$'o D$( F

000013D0:m D$ D$ F T$ RP \$ D$ e D$ n D$ d D$ A \$ D$ P D$ I D$ 3 D$

00001410: 2 D$ C D$ o D$"a D$#n D$$d D$% N F [t t _3 ^

00001450: _^ V W3 F ; t P E ~ ~ ~ _^

00001490: \SUV Y WS L$ \$ d E t$tj |$ j j j x E u S \

000014D0: E _^] [ \ D$4 u D$ l$4 @ D$ |$x h E D$ t$ D$

00001510:P V D$! u WU u U t E = t1 |$ t= L$\Q h |

00001550:. |$ uX D$ }O@ D$ T$ R l :3 6 D$tj x@W P E

00001590: u" L$\ T$` D$d L$h W G O U E T$ R \ E _^][ \

000015D0: SUV W3 ~ E A A D$

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG¸ÿÿÿc

--------------

--------------

$01180: AppInit_DLLs

$011F7: UDeviceNotSelectedTimeout

$01247: zGDIProcessHandleQuota

$012E0: TransmissionRetryTimeout

$01330: USERProcessHandleQuota

--------------

--------------

c:\windows\system32\hlplcjb.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

..........

*Debug...

--------------

--------------

Ntdll.DLL at 77F50000

Kernel32.DLL at 77E60000

NtQuerySystemInformation (Entry at 61C049F1) restored to 77F5BF08

RtlQueryProcessDebugInformation (Entry at 61C0495B) restored to 77F6C470

..........

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "c:\windows\system32\hlplcjb.dll"

0000 63 00 3a 00 5c 00 77 00 69 00 6e 00 64 00 6f 00 | c.:.\.w.i.n.d.o.

0010 77 00 73 00 5c 00 73 00 79 00 73 00 74 00 65 00 | w.s.\.s.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 68 00 6c 00 70 00 6c 00 | m.3.2.\.h.l.p.l.

0030 63 00 6a 00 62 00 2e 00 64 00 6c 00 6c 00 00 00 | c.j.b...d.l.l...

-----------------------

 

»»»»»»Backups list...»»»»»»

23:38:25 up 0 days, 0:19:53

-----------------------

Fri 13 Aug 04 23:38:25

 

 

C:\FINDNFIX\

keyback.hiv Fri Aug 13 2004 11:27:52p A.... 8,192 8.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 8,192 bytes 8.00 K

 

C:\FINDNFIX\KEYS1\

winkey.reg Fri Aug 13 2004 11:27:52p A.... 287 0.28 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 287 bytes 0.28 K

 

*Temp backups...

 

"C:\Documents and Settings\Owner\Local Settings\Temp\Backs2\"

keyback2.hi_ Aug 13 2004 8192 "keyback2.hi_"

winkey2.re_ Aug 13 2004 287 "winkey2.re_"

 

2 items found: 2 files, 0 directories.

Total of file sizes: 8,479 bytes 8.28 K

 

C:\FINDNFIX\

JUNKXXX Fri Aug 13 2004 11:27:52p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

________________________________________________________________________________

***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'

AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!

MINIMAL REQUIREMENTS INCLUDE:

_________XP HOME/PRO; SP1; IE6/SP1

_________2K/SP4; IE6/SP1

________________________________________________________________________________

-----END------

Fri 13 Aug 04 23:38:26

 

Thanks.

Share this post


Link to post
Share on other sites

Completely disable any antivirus software you have running from this point on until we have finished.

 

In the keys1 folder, double click on and merge this regfile: windr1.reg, say yes at the prompt and reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the HLPLCJB.DLL file. Highlight the file and using top menu, click Edit>Move to folder...

 

Select C:\Findnfix\junkxxx as destination. Move the file.

 

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0