Jump to content


Photo

OK for HJT to fix AppInit_Dlls key?


  • This topic is locked This topic is locked
1 reply to this topic

#1 TrailingEdge

TrailingEdge

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 August 2004 - 06:17 PM

Hello.

I have read the FAQ, run the latest SpyBot 1.3, and run Adaware 6 with the latest reflist. SpyBot found and removed GoldenPalace.Casino (romahere) registry entries. Adaware found and removed only tracking cookies.

I knew from StartupList logs that other suspicious startup settings had been recently added, notably

HKLM\...\Windows NT\CurrentVersion\Windows\AppInit_Dlls
C:\WINNT\profiles\All Users\Start Menu\Programs\Startup\sysmgr.exe

as well as

Load/Run keys missing from win.ini and from the registry (mostly winlogon)

The StartupList log is available but not posted in this query. Following is the HijackThis log created after the SpyBot and Adaware scans.

I have two questions:

(1) Is it safe for HJT to fix AppInit_DLLs?
(2) Do the missing win.ini and registry load/run keys need to be restored?

Thanks for your help

Logfile of HijackThis v1.98.1
Scan saved at 12:17:01 PM, on 8/1/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\cardpwr.exe
C:\WINNT\System32\drivers\pbms.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\system32\rasman.exe
C:\WINNT\System32\pstores.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\spool\drivers\w32x86\hpztsb09.exe
C:\Program Files\Phoenix Technologies\BatteryScope\BATSCOPE.EXE
C:\Program Files\Phoenix Technologies\PowerPanel\PROGRAM\BarTool.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\HP DeskJet 895C Series\ereg\Remind32.exe
C:\WINNT\System32\ddhelp.exe
C:\WINNT\system32\rasmon.exe
C:\WINNT\system32\mspaint.exe
C:\Program Files\MalWareTools\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe,pcmapp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\hpztsb09.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 895C Series\ereg\Remind32.exe
O4 - Global Startup: Phoenix BatteryScope.lnk = C:\Program Files\Phoenix Technologies\BatteryScope\BATSCOPE.EXE
O4 - Global Startup: PowerPanel V2.15.lnk = C:\Program Files\Phoenix Technologies\PowerPanel\PROGRAM\BarTool.exe
O4 - Global Startup: Office Startup.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: sysmgr.exe
O12 - Plugin for .bcf: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - AppInit_DLLs: 64riuyomu075.tlb

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 02 September 2004 - 06:15 PM

Sorry for the delay, if you still have problems post a fresh log please




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button