Jump to content


Photo

Yoursearcher


  • Please log in to reply
12 replies to this topic

#1 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 May 2004 - 09:00 AM

I've done just about everything I know how to get rid of this hijack. I need someone to tell me what I'm missing. Here's my log:

Logfile of HijackThis v1.97.7
Scan saved at 8:58:36 AM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: winlogin.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.3115972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab

Any help is appreciated.

Edited by hojo165, 24 May 2004 - 09:06 AM.


#2 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 24 May 2004 - 08:26 PM

Hi hojo165
Have you already removed some items?
First download CWShredder by Merijn Bellekom
Do not run it yet.
Start your computer in safe mode . Close all browsers and rerun HJT. Check and click fix checked for the following-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - Global Startup: winlogin.exe
Now run CWShredder while still in safe mode.
Click fix and let it delete whatever it finds. Be sure you click fix and not scan only.
Post another log and let me know if you have removed some items already.

#3 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 25 May 2004 - 09:06 AM

Here's the log. Yeah, I've been trying to remove stuff for about a week now and haven't really accomplished anything. I posted after I removed some things, but then ran again for a fresh log. The fresh log is the one I posted. Here's the log after doing what you said:

Logfile of HijackThis v1.97.7
Scan saved at 9:03:08 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\iilk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\iilk.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\iilk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.3115972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab


I just realized why it isn't gone. CWShredder and HijackThis didn't show up in safe mode so I ran safe mode w/networking and downloaded them. That probably didn't help my cause. Anyway, tell me what's next.

Thanks for your help.

#4 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 25 May 2004 - 06:12 PM

We'll try and take care of the coolweb problem first. Then we'll consider what may have been removed unnecessarily, if anything at all.
First go here and download http://tools.zerosrealm.com/dllfix.exe
Save it to your desktop and double click dllfix.exe . Follow the prompts-
Now go to the dllfix folder and double click the start.bat and choose option #1
This will search for the “bad” file and create a report in Notepad. Copy and paste that report back into this thread. Also post a new HJT log.

#5 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 26 May 2004 - 08:34 AM

I had to make the txt file a doc b/c notepad is missing. This is not my machine, so I can't explain that. Here are the two logs, hjt first, dllfix second.

Logfile of HijackThis v1.97.7
Scan saved at 8:31:31 AM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.3115972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab



--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/26/2004
08:24 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4002:C004) - FS:NTFS clusters:512
Total: 40 015 954 432 [37G] - Free: 37 092 910 080 [35G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q828750;Q837009;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
8:24am up 0 days, 0:04
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMD.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
60152 1604 norm SysFader
40086 1604 norm Start Menu
100e4 1992 norm SysFader
30036 1604 norm _Shell_TrayWnd
100aa 1896 norm Norton AntiVirus
10026 624 high NetDDE Agent
d013c 1636 norm C:\WINDOWS\System32\cmd.exe
70148 1604 norm dllfix
500cc 1992 norm MCI command handling window
1010e 1992 norm DDE Server Window
100c6 1604 norm Connections Tray
200be 1604 norm Power Meter
300bc 1604 norm MS_WebcheckMonitor
100a6 1860 norm BluetoothAuthenticationWndClass
100d6 1992 norm SWI Forums -> Yoursearcher - Microsoft Internet Explorer
1007e 1604 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D9D472A-9AD1-4226-833E-D5B014B7CF38}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Thanks again for the help.

#6 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 26 May 2004 - 05:16 PM

Hi
Now run start.bat again and this time choose #2.At the next menu choose #2 again.
You will receive a message that your computer will reboot in 15 seconds. After your computer reboots you will get a screen and Notepad will open with a report in it. Reboot your computer again and download CWShredder by Merijn Bellekom
Check for an update just to make sure you have the latest version. Click fix and let it delete whatever it finds. Be sure you click fix and not scan only.
Run HJT again and check and click fix checked for the following that are left.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll

#7 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 June 2004 - 08:30 AM

I ran dllfix like you said and my machine went into a constant restart. The Windows screen would come up, and when it tried to boot Windows, it restarted. I ran in safe mode and restored to a previous date, and the machine is now running properly, but obviously the hijack problem is still there. Please advise.

Thanks.

P.S. Sorry for the late reply, I've been gone for a couple days.

Edited by hojo165, 02 June 2004 - 08:31 AM.


#8 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 02 June 2004 - 04:06 PM

Can you post another log?

#9 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 June 2004 - 08:31 AM

I won't be at that machine until tmw afternoon, I'll post the log then.

#10 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 June 2004 - 01:02 PM

Here's the log, HJT first, dllfix second:

Logfile of HijackThis v1.97.7
Scan saved at 1:00:25 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.3115972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab



--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Fri 06/04/2004
12:58 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4002:C004) - FS:NTFS clusters:512
Total: 40 015 954 432 [37G] - Free: 37 153 527 296 [35G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q828750;Q837009;Q832894;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
12:58am up 0 days, 4:17
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\ASUIGG.DLL +++ File read error
\\?\C:\WINDOWS\System32\ASUIGG.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
30108 1584 norm SysFader
3012a 820 norm SysFader
20080 1584 norm Start Menu
100a4 1852 norm Norton AntiVirus
30036 1584 norm _Shell_TrayWnd
10026 628 high NetDDE Agent
70180 1852 norm Norton AntiVirus
300f8 376 norm C:\WINDOWS\System32\cmd.exe
3011a 1584 norm dllfix
40130 820 norm SWI Forums -> Replying in Yoursearcher - Microsoft Internet Explorer
20122 820 norm MCI command handling window
10118 820 norm DDE Server Window
100c6 1584 norm Connections Tray
200be 1584 norm Power Meter
300bc 1584 norm MS_WebcheckMonitor
1007e 1584 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D9D472A-9AD1-4226-833E-D5B014B7CF38}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{73C21C7D-3553-4C4A-8A5E-7B4880E559FF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Thanks.

#11 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 04 June 2004 - 07:10 PM

Close all browsers and rerun HJT. Check and click fix checked for the following-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\coighea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5D9D472A-9AD1-4226-833E-D5B014B7CF38} - C:\WINDOWS\System32\coighea.dll
Restart your computer and delete
C:\WINDOWS\System32\coighea.dll

Since you restored to an earlier time we may need to start all over again.

Edited by OlTramp, 04 June 2004 - 07:10 PM.


#12 hojo165

hojo165

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 07 June 2004 - 08:36 AM

Did as you said, except the coighea.dll file was already gone when I restarted. At the very least I couldn't find it. Here's the new HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 8:31:23 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\All Users.email\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.3115972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab

Obviously, it's clean, but there's gotta be something else going on, doesn't there?

#13 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 07 June 2004 - 06:40 PM

Hi
Exactly what symptoms are you still having? Your log is extremely short so what is it that does and what does not work correctly?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button