• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gwalker17

Browser Hijacked...

8 posts in this topic

My browser has been hijacked for a long time now...and I havent been able to get any help. Could someone please check out my HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:16:51 PM, on 5/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\iISystem Wiper\SystemWiper.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\PTC\PTC.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Kazaa Lite K++\KazaaLite.kpp

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\gw.GLENN\Desktop\Spyware Sucks Wang\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {E7C315A2-4890-401D-A98E-D5CBF85B5104} - C:\WINDOWS\System32\anl.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop\stopthepop.exe" -minimized

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7936.7184027778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D2E1E20-347C-4C2D-9B33-59DBE7754982}: NameServer = 204.68.227.1,4.2.2.2

 

thx

Share this post


Link to post
Share on other sites

Hi gwalker17

Sorry if it seems slow gwtting help. We are a bit swamped-

Go here and download this self extracting file:

http://tools.zerosrealm.com/dllfix.exe

 

Save it to your desktop, double click dllfix.exe and follow the prompts.

 

Go to the newly created dllfix folder on your desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file. Then run start.bat again and choose option #2, then choose option #2 again at the next menu. You will get a message that your computer will reboot in 15 seconds. After your computer reboots, a window will flash on your screen and notepad will open with a report in it.

 

Go to the dllfix folder on your desktop and copy the contents of the output.txt and logs.txt files back into this thread, along with an updated hijackthis log.

 

(A tutorial is available from here http://forums.subratam.org/index.php?showtopic=583 )

 

(Our thanks to shadowwar for his Fix, FreeAtLast and Mosaic for their inputs in getting the Fix done and Subratam and Zero for hosting the fix)

Share this post


Link to post
Share on other sites

output.txt:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Tue 05/25/2004

02:40 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (9029:537F) - FS:NTFS clusters:4k

Total: 40 015 953 920 [37G] - Free: 28 829 233 152 [27G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q324929;Q810847;Q813951;Q330994;Q824145;Q837009;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

File not found - C:\Program Files\google\googletoolbar2.dll

A R C:\Program Files\google\GoogleToolbar1.dll

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

2:40pm up 0 days, 0:05

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQLI.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLI.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

1021e 1776 norm PermissionDlg

50180 1480 norm SysFader

2010a 1764 norm SysFader

200f4 1480 norm SysFader

1008e 1480 norm Start Menu

30032 1480 norm _Shell_TrayWnd

1021a 1776 norm ViolationDlg

10206 412 norm Maximize to current monitor

10028 544 high NetDDE Agent

601c4 2544 norm C:\WINDOWS\System32\cmd.exe

300b0 1764 norm SWI Forums -> Browser Hijacked... - Microsoft Internet Explorer

60190 1480 norm dllfix

20170 1764 norm MCI command handling window

30126 2192 norm DEVLDR

2016c 1764 norm DDE Server Window

1020a 1776 norm ZoneAlarm

201a2 412 norm NVIDIA TwinView Window

101d2 1872 norm NVSVCPMMWindowClass

100e0 1480 norm Connections Tray

100d0 1656 norm VPIPCLINK

100cc 1656 norm ACTION

100c8 1656 norm Scan

100d4 1740 norm 6d0

100ba 1480 norm Power Meter

100b4 1768 norm Norton AntiVirus Corporate Edition

100b8 1480 norm MS_WebcheckMonitor

200aa 1740 norm QTPlayer Tray Icon

60048 1480 norm Spyware Sucks Wang

1008c 1480 norm Program Manager

1024c 1776 norm M

10220 1776 norm Default IME

30038 1480 norm M

30034 1480 norm Default IME

1024a 1776 norm M

1021c 1776 norm Default IME

10208 412 norm Default IME

20114 1764 norm M

20118 1764 norm Default IME

60198 1480 norm M

501ce 1480 norm Default IME

2016e 1764 norm Default IME

30124 2192 norm Default IME

1020c 1776 norm Default IME

300e8 412 norm Default IME

101d4 1872 norm Default IME

100d2 1656 norm Default IME

100ce 1656 norm Default IME

100ca 1656 norm Default IME

100bc 1480 norm Default IME

100b6 1768 norm Default IME

100ac 1740 norm Default IME

300ec 1480 norm M

300ea 1480 norm Default IME

100a0 1480 norm M

3004c 1480 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7C315A2-4890-401D-A98E-D5CBF85B5104}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{D2F525C2-6C96-4F3A-8191-003B831D4853}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{D2F525C2-6C96-4F3A-8191-003B831D4853}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

LOGS.TXT:

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 05/25/2004

06:58 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

Deleting Filter text/plain

Deleting Filter text/html

Running from C:\Documents and Settings\gw.GLENN\Desktop\dllfix

 

Scanning For main hijacker.

Found Main Hijacker Dll:C:\WINDOWS\System32\ANL.DLL

Md5 tested As 0758CF635DF08AC381962F74832B6484

MD5 Matched known Baddie

Deleting Hijacker Dll: C:\WINDOWS\System32\ANL.DLL

Succesfully Deleted

Scanning For main hijacker.

Scanning for Hidden Dll in system32 1st pass

File was not found on first Pass.

 

Scanning for Hidden Dll in system32 2nd pass

File found was: C:\WINDOWS\System32\SQLI.DLL

 

Md5 Check of C:\WINDOWS\System32\SQLI.DLL

 

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249

Md5 matched known baddies.

Processing and Deleting File.

Processing ACL of: <\\?\C:\WINDOWS\System32\SQLI.DLL>

 

SetACL finished successfully.

 

File was successfully Deleted.

Please Run Hijackthis or Cwshredder to finish cleanup.

 

 

:ph34r:

HJT LOG:

Logfile of HijackThis v1.97.7

Scan saved at 7:10:40 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\iISystem Wiper\SystemWiper.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\gw.GLENN\Desktop\Spyware Sucks Wang\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\anl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {E7C315A2-4890-401D-A98E-D5CBF85B5104} - C:\WINDOWS\System32\anl.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop\stopthepop.exe" -minimized

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7936.7184027778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D2E1E20-347C-4C2D-9B33-59DBE7754982}: NameServer = 204.68.227.1,4.2.2.2

 

 

 

THANKS FOR THE HELP

Share this post


Link to post
Share on other sites

Hi

Now download CWShredder by Merijn Bellekom

Check for an update just to make sure you have the latest version. Click fix and let it delete whatever it finds. Be sure you click fix and not scan only.

Then post another log and we’ll see what is left.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:41:01 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\PTC\PTC.exe

C:\Documents and Settings\gw.GLENN\Desktop\Spyware Sucks Wang\HJT\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\gw.GLENN\Desktop\Spyware Sucks Wang\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {E7C315A2-4890-401D-A98E-D5CBF85B5104} - C:\WINDOWS\System32\anl.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop\stopthepop.exe" -minimized

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7936.7184027778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D2E1E20-347C-4C2D-9B33-59DBE7754982}: NameServer = 204.68.227.1,4.2.2.2

Share this post


Link to post
Share on other sites

Hi

Close all browsers and rerun HJT. Check and click fix checked for the following-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E7C315A2-4890-401D-A98E-D5CBF85B5104} - C:\WINDOWS\System32\anl.dll (file missing)

How are things now?

Share this post


Link to post
Share on other sites

Everything seems great!

 

Here is a HJT log after rebooting:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:42:54 PM, on 5/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\iISystem Wiper\SystemWiper.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WUTemp\com_microsoft.840374_XPSP2_WinSE_92384\WindowsXP-KB840374-x86-ENU.EXE

c:\64b1208841282d27f14e2a304a\xpsp1hfm.exe

c:\64b1208841282d27f14e2a304a\sp2\update\update.exe

C:\Documents and Settings\gw.GLENN\Desktop\Spyware Sucks Wang\HJT\HijackThis.exe

C:\WINDOWS\PCHealth\HELPCTR\Binaries\HSCUpd.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

 

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop\stopthepop.exe" -minimized

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7936.7184027778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D2E1E20-347C-4C2D-9B33-59DBE7754982}: NameServer = 204.68.227.1,4.2.2.2

Share this post


Link to post
Share on other sites

Good job!

I think you may have an update or two that was not successful. Other than that things look OK to me.Any more rpoblems drop back by.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0