• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
hojo165

Yoursearcher

13 posts in this topic

I've done just about everything I know how to get rid of this hijack. I need someone to tell me what I'm missing. Here's my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:58:36 AM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: winlogin.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8124.3115972222

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

Any help is appreciated.

Edited by hojo165

Share this post


Link to post
Share on other sites

Hi hojo165

Have you already removed some items?

First download CWShredder by Merijn Bellekom

Do not run it yet.

Start your computer in safe mode . Close all browsers and rerun HJT. Check and click fix checked for the following-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O4 - Global Startup: winlogin.exe

Now run CWShredder while still in safe mode.

Click fix and let it delete whatever it finds. Be sure you click fix and not scan only.

Post another log and let me know if you have removed some items already.

Share this post


Link to post
Share on other sites

Here's the log. Yeah, I've been trying to remove stuff for about a week now and haven't really accomplished anything. I posted after I removed some things, but then ran again for a fresh log. The fresh log is the one I posted. Here's the log after doing what you said:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:03:08 AM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iilk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iilk.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iilk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8124.3115972222

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

 

I just realized why it isn't gone. CWShredder and HijackThis didn't show up in safe mode so I ran safe mode w/networking and downloaded them. That probably didn't help my cause. Anyway, tell me what's next.

 

Thanks for your help.

Share this post


Link to post
Share on other sites

We'll try and take care of the coolweb problem first. Then we'll consider what may have been removed unnecessarily, if anything at all.

First go here and download http://tools.zerosrealm.com/dllfix.exe

Save it to your desktop and double click dllfix.exe . Follow the prompts-

Now go to the dllfix folder and double click the start.bat and choose option #1

This will search for the “bad” file and create a report in Notepad. Copy and paste that report back into this thread. Also post a new HJT log.

Share this post


Link to post
Share on other sites

I had to make the txt file a doc b/c notepad is missing. This is not my machine, so I can't explain that. Here are the two logs, hjt first, dllfix second.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:31:31 AM, on 5/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\msiexec.exe

C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8124.3115972222

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

 

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Wed 05/26/2004

08:24 AM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (4002:C004) - FS:NTFS clusters:512

Total: 40 015 954 432 [37G] - Free: 37 092 910 080 [35G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q822925;Q828750;Q837009;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

8:24am up 0 days, 0:04

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error

\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

60152 1604 norm SysFader

40086 1604 norm Start Menu

100e4 1992 norm SysFader

30036 1604 norm _Shell_TrayWnd

100aa 1896 norm Norton AntiVirus

10026 624 high NetDDE Agent

d013c 1636 norm C:\WINDOWS\System32\cmd.exe

70148 1604 norm dllfix

500cc 1992 norm MCI command handling window

1010e 1992 norm DDE Server Window

100c6 1604 norm Connections Tray

200be 1604 norm Power Meter

300bc 1604 norm MS_WebcheckMonitor

100a6 1860 norm BluetoothAuthenticationWndClass

100d6 1992 norm SWI Forums -> Yoursearcher - Microsoft Internet Explorer

1007e 1604 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D9D472A-9AD1-4226-833E-D5B014B7CF38}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

Thanks again for the help.

Share this post


Link to post
Share on other sites

Hi

Now run start.bat again and this time choose #2.At the next menu choose #2 again.

You will receive a message that your computer will reboot in 15 seconds. After your computer reboots you will get a screen and Notepad will open with a report in it. Reboot your computer again and download CWShredder by Merijn Bellekom

Check for an update just to make sure you have the latest version. Click fix and let it delete whatever it finds. Be sure you click fix and not scan only.

Run HJT again and check and click fix checked for the following that are left.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll

Share this post


Link to post
Share on other sites

I ran dllfix like you said and my machine went into a constant restart. The Windows screen would come up, and when it tried to boot Windows, it restarted. I ran in safe mode and restored to a previous date, and the machine is now running properly, but obviously the hijack problem is still there. Please advise.

 

Thanks.

 

P.S. Sorry for the late reply, I've been gone for a couple days.

Edited by hojo165

Share this post


Link to post
Share on other sites

Here's the log, HJT first, dllfix second:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:00:25 PM, on 6/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8124.3115972222

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

 

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Fri 06/04/2004

12:58 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (4002:C004) - FS:NTFS clusters:512

Total: 40 015 954 432 [37G] - Free: 37 153 527 296 [35G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q822925;Q828750;Q837009;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

12:58am up 0 days, 4:17

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\ASUIGG.DLL +++ File read error

\\?\C:\WINDOWS\System32\ASUIGG.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

30108 1584 norm SysFader

3012a 820 norm SysFader

20080 1584 norm Start Menu

100a4 1852 norm Norton AntiVirus

30036 1584 norm _Shell_TrayWnd

10026 628 high NetDDE Agent

70180 1852 norm Norton AntiVirus

300f8 376 norm C:\WINDOWS\System32\cmd.exe

3011a 1584 norm dllfix

40130 820 norm SWI Forums -> Replying in Yoursearcher - Microsoft Internet Explorer

20122 820 norm MCI command handling window

10118 820 norm DDE Server Window

100c6 1584 norm Connections Tray

200be 1584 norm Power Meter

300bc 1584 norm MS_WebcheckMonitor

1007e 1584 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D9D472A-9AD1-4226-833E-D5B014B7CF38}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

Thanks.

Share this post


Link to post
Share on other sites

Close all browsers and rerun HJT. Check and click fix checked for the following-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll

Restart your computer and delete

C:\WINDOWS\System32\coighea.dll

 

Since you restored to an earlier time we may need to start all over again.

Edited by OlTramp

Share this post


Link to post
Share on other sites

Did as you said, except the coighea.dll file was already gone when I restarted. At the very least I couldn't find it. Here's the new HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:31:23 AM, on 6/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

 

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8124.3115972222

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

Obviously, it's clean, but there's gotta be something else going on, doesn't there?

Share this post


Link to post
Share on other sites

Hi

Exactly what symptoms are you still having? Your log is extremely short so what is it that does and what does not work correctly?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0