Jump to content


Photo

Can you please check our log?


  • Please log in to reply
13 replies to this topic

#1 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 May 2004 - 10:09 AM

Hi,

Our computer was hyjacked over 2 weeks ago. We have followed all of the directions on this web page but we still think there is some stuff that we can't get rid of. We have run Adware, Spybot, cwshredder, and Hyjack this. Below is the computer log from Hyjack this. There are 2 things that we don't think should be there but it won't let us remove them. I have 2 logs-one from the other night and one from today.

I forgot to mention that the current web page that keeps coming up is about.blank. It keeps re-installing itself even after we get rid of it. The original problem kept sending us to search.html

Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 1:03:27 AM, on 5/23/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\Cfxmt10.exe
C:\WINNT\System32\Nvr0A.exe
A:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\Gip2.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



Logfile of HijackThis v1.97.7
Scan saved at 10:00:36 AM, on 5/24/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\PackethSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\Yvk4sD2.exe
C:\WINNT\System32\KpmfDx4d.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4417757B-E378-455D-BF54-B8AC4F368B3A} - C:\WINNT\System32\pphgha.dll
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\VchsZQoq.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by computer help, 24 May 2004 - 12:54 PM.


#2 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 May 2004 - 09:44 AM

Hi,

We are still having the problems with about:blank becoming our homepage. CWshredder gets rid of it temporaily but it comes right back.

Thanks!

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 12:25 PM

Download 'Find-All':

http://freeatlast.10...om/Find-All.zip

*Unzip, DoubleClick on the "Find-All.CMD" file and post the log
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 May 2004 - 01:41 PM

Here it is...Thanks! I think I did it right but let me know if I didn't.

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 13:35:47 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (7CDB:4812) - FS:NTFS clusters:4k
Total: 20 538 490 880 [19G] - Free: 17 323 458 560 [16G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321017"=""
"ESB{156E0377-EEDA-414F-9C2D-FF3EFC54D680}"=""


»»Wmplayer version:
6.4.9.1109 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3234.0 C:\WINNT\System32\msjava.dll


»»PC uptime:
1:35pm up 0 days, 3:08

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\RESPJ.DLL +++ File read error
\\?\C:\WINNT\System32\RESPJ.DLL +++ File read error


»»Tasks (services):
0 System Process
8 System
144 smss.exe
168 csrss.exe Title:
164 winlogon.exe Title: NetDDE Agent
224 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi
236 lsass.exe Svcs: PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
436 SPOOLSV.EXE Svcs: Spooler
472 nhksrv.exe Svcs: nhksrv
492 DefWatch.exe Svcs: DefWatch
516 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
552 Rtvscan.exe Svcs: Norton AntiVirus Server
628 regsvc.exe Svcs: RemoteRegistry
644 mstask.exe Svcs: Schedule
692 winmgmt.exe Svcs: WinMgmt
816 explorer.exe Title: Program Manager
988 VPTray.exe Title: Symantec AntiVirus Corporate Edition
1008 wcescomm.exe Title: DccMan
1024 msnmsgr.exe Title: Animated BMP Sequence
1264 JqvGn.exe Title:
1384 FeslA.exe Title:
1268 IEXPLORE.EXE Title: SWI Forums -> Can you please check our log? - Microsoft Internet Explorer
1068 cmd.exe Title: C:\WINNT\System32\cmd.exe
1364 ntvdm.exe
804 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFDE1BCF-9196-4AAB-9AC2-032C2E27C55B}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»ACLs list:
C:\junk Everyone:(OI)(CI)F

ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 13:35:55 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\MYDOWN~1\Find-All\winBackup.hiv
A C:\MYDOWN~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 02:24 PM

Yup! you did it right! '
Next,
Go to Start>run>type:
regedit
hit ok'
Regedit is set to open directly on this key:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

(*compare and be sure the path on the status
bar is same as indicated above!)

--"Windows" SubFolder should be hilited.
RightClick it >select> rename,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's original
name: Windows

Use top regedit's menu view>refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer.

--Navigate to System32 folder, Search: RESPJ.DLL, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junk folder.
(It was created during first 'Find-All' run)
'ok' it.

--Re-run Find-All.cmd and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 May 2004 - 03:07 PM

Okay here is the latest......

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 15:05:04 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (7CDB:4812) - FS:NTFS clusters:4k
Total: 20 538 490 880 [19G] - Free: 17 321 144 320 [16G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321017"=""
"ESB{156E0377-EEDA-414F-9C2D-FF3EFC54D680}"=""


»»Wmplayer version:
6.4.9.1109 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3234.0 C:\WINNT\System32\msjava.dll


»»PC uptime:
3:05pm up 0 days, 0:13

»»Locked or 'Suspect' file(s) found...
\\?\C:\junk\RESPJ.DLL +++ File read error


»»Tasks (services):
0 System Process
8 System
144 smss.exe
168 csrss.exe Title:
164 winlogon.exe Title: NetDDE Agent
216 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi
228 lsass.exe Svcs: PolicyAgent,SamSs
384 svchost.exe Svcs: RpcSs
412 SPOOLSV.EXE Svcs: Spooler
440 nhksrv.exe Svcs: nhksrv
456 DefWatch.exe Svcs: DefWatch
472 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
508 Rtvscan.exe Svcs: Norton AntiVirus Server
572 regsvc.exe Svcs: RemoteRegistry
588 mstask.exe Svcs: Schedule
632 winmgmt.exe Svcs: WinMgmt
752 explorer.exe Title: Program Manager
968 VPTray.exe Title: Symantec AntiVirus Corporate Edition
1004 wcescomm.exe Title: DccMan
1028 msnmsgr.exe Title: Animated BMP Sequence
1172 KpmfDx4d.exe Title:
1196 KpmfDx4d.exe Title:
692 IEXPLORE.EXE Title: SWI Forums -> Can you please check our log? - Microsoft Internet Explorer
908 cmd.exe Title: C:\WINNT\System32\cmd.exe
1188 ntvdm.exe
1204 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFDE1BCF-9196-4AAB-9AC2-032C2E27C55B}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»ACLs list:
C:\junk Everyone:(OI)(CI)F

C:\junk\respj.dll Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE



»»Contents of file(s) in 'junk' folder:
respj.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

md5sums: Unable to open respj.dll

0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junk\respj.dll>




Tue May 25 15:05:06 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\MYDOWN~1\Find-All\winBackup.hiv
A C:\MYDOWN~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 03:54 PM

Next,
Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junk\*.dll moved file
*Create zipped copy in the same folder: "junk.zip"
*Open your email client with given address for submission!

--Drag the 'junk.zip' and submit the
attachment to the specified address, ! , thanks ;)

When done, Delete the "junk.zip"
as well as the "junk" folder in C:\

--Re-run Find-All.cmd and post fresh output!


*Note:
This procedure will only get rid of the 'hidden' villain!
To repair all other issues you need
to scan with CWShredder and Ad-Aware!
Once this is gone, they should be able to
clean all the rest permanently!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 May 2004 - 04:23 PM

Okay I did all of that but I still don't think it is working. After I did as you instructed I ran Adware and CWShredder. I shut off the computer undid the internet connection and re-assigned my home page. After I clicked on the internet again it went to About:blank

Oh my goodness this thing is going to make me crazy!!!!

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 16:20:45 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (7CDB:4812) - FS:NTFS clusters:4k
Total: 20 538 490 880 [19G] - Free: 17 319 665 664 [16G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321017"=""
"ESB{156E0377-EEDA-414F-9C2D-FF3EFC54D680}"=""


»»Wmplayer version:
6.4.9.1109 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3234.0 C:\WINNT\System32\msjava.dll


»»PC uptime:
4:20pm up 0 days, 0:05

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
8 System
144 smss.exe
168 csrss.exe Title:
164 winlogon.exe Title: NetDDE Agent
216 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi
228 lsass.exe Svcs: PolicyAgent,SamSs
384 svchost.exe Svcs: RpcSs
412 SPOOLSV.EXE Svcs: Spooler
440 nhksrv.exe Svcs: nhksrv
456 DefWatch.exe Svcs: DefWatch
472 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
512 Rtvscan.exe Svcs: Norton AntiVirus Server
572 regsvc.exe Svcs: RemoteRegistry
588 mstask.exe Svcs: Schedule
632 winmgmt.exe Svcs: WinMgmt
756 explorer.exe Title: Program Manager
988 VPTray.exe Title: Symantec AntiVirus Corporate Edition
1004 wcescomm.exe Title: DccMan
1028 msnmsgr.exe Title: Animated BMP Sequence
1176 FeslA.exe Title:
1196 KpmfDx4d.exe Title:
1232 cmd.exe Title: C:\WINNT\System32\cmd.exe
1228 ntvdm.exe
1052 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB1D361F-6C3C-45A8-BA25-922D39D1F701}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»ACLs list:
C:\junk Everyone:(OI)(CI)F

ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 16:20:46 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\MYDOWN~1\Find-All\winBackup.hiv
A C:\MYDOWN~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 04:31 PM

No, it worked perfectly! ;)

However Ad-Aware should have detected and removed these:

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

Both are related.

Leave them for now and just post fresh hijackthis log.
There are orphaned AboutBlank lines left behind ...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
EDIT:
Just spotted this on your log:
»»M$Java version:
5.0.3234.0 C:\WINNT\System32\msjava.dll

This version is ~5 years outdated, on
top of the fact that your IE is outdated as well!
DON'T expect any progress untill your next visit to:
http://windowsupdate.microsoft.com

Come back after you have applied:
*ALL recent security patches, including DCOM anf Java!
*IE6/SP1
*SP4 for Win2K

When you have completed all these tasks and
there are no updates left, repost your
hijackthis log!


Presumably you didn't update
ad-Aware as well, hence the leftovers!

Edited by freeatlast, 25 May 2004 - 04:46 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 May 2004 - 06:39 PM

Okay I think I have done everything. Here is my latest Hijack Log. I knew we had outdated software but when I tried to fix it the other day it wouldn't let me. At least we got rid of most of it so it let me do it today. Thanks for still helping us even though we are computer dummies! We never even knew you could update Windows until a few days ago

This is going to sound like a really dumb question...but I will ask anyway. I can get free Windows Applications through work. If I want to update to Windows 2003 then what do I have to do to do that? Do I have to back up things that I currently have on the C drive (etc.) and then load it? Or can I just load it and it will transfer the files?

Also, we have Ad-aware 6.0 is this an old version?

FYI-I didn't delete anything from this most recent Hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 6:33:04 PM, on 5/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\KpmfDx4d.exe
C:\WINNT\System32\JqvGn.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {BB1D361F-6C3C-45A8-BA25-922D39D1F701} - C:\WINNT\System32\nipbka.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\Gip2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\ACMWrapperV2.dll"
O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\MediaPlayerV2.dll"
O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\driversV2.dll"
O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Cdbootable.dll"
O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdDataPS.dll"
O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdExtra.dll"
O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdmp3.dll"
O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\database.dll"
O4 - HKLM\..\RunOnce: [ISO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\ISO9660.dll"
O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Joliet.dll"
O4 - HKLM\..\RunOnce: [Udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Udf.dll"
O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll"
O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Translator.dll"
O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\CDEngine.dll"
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8132.6382175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by computer help, 25 May 2004 - 06:40 PM.


#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 05:13 AM

For the rest of your problems, most recent version of Ad-Aware:
http://www.lavasoftu...ftware/adaware/

*Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

Untill you follow up properly, it won't be resolved!

Good luck!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 May 2004 - 07:41 PM

Thank you so much! :) :) :)

I think it is okay now.....can you look at my Hijack This log again to make sure?

Logfile of HijackThis v1.97.7
Scan saved at 7:40:13 PM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\documents and settings\bill1\local settings\temp\IDvofAhAp.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\documents and settings\bill1\local settings\temp\Z5.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\downloader.exe
C:\WINNT\System32\Nvr0A.exe
C:\WINNT\System32\Yvk4sD2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5AABF295-8D56-405D-907E-98AF1BF5AE0B} - C:\WINNT\System32\nipbka.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\KxrWgd1.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IDvofAhAp.exe] C:\documents and settings\bill1\local settings\temp\IDvofAhAp.exe
O4 - HKLM\..\Run: [Z5.exe] C:\documents and settings\bill1\local settings\temp\Z5.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\System32\IEHost.exe
O4 - HKLM\..\Run: [usmj33O] ppcost.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [downloader.exe] C:\downloader.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8132.6382175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 10:40 PM

cws problem is gone, but you have others and some new pests.

Fix check the following in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5AABF295-8D56-405D-907E-98AF1BF5AE0B} - C:\WINNT\System32\nipbka.dll (file missing)
O4 - HKLM\..\Run: [IDvofAhAp.exe] C:\documents and settings\bill1\local settings\temp\IDvofAhAp.exe
O4 - HKLM\..\Run: [Z5.exe] C:\documents and settings\bill1\local settings\temp\Z5.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\System32\IEHost.exe
O4 - HKLM\..\Run: [usmj33O] ppcost.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKCU\..\Run: [downloader.exe] C:\downloader.exe



Restart your computer in safe mode.
Find and delete:
C:\(downloader.exe, searchpage.html) files
C:\Program Files\(AutoUpdate) folder
C:\WINNT\System32\(IEHost.exe, dp-him.exe) files

Go to:
C:\documents and settings\bill1 folder.
Click->tools/folder options/view
Check->show hidden files and folders.
'ok' it.
Open the 'Local Settings'\Temp< Subfolder.
Delete entire contents of temp folder.

Run a search on your drive
for: 'ppcost.exe', delete when/if found.

When done, follow the steps on this page, while being online:
http://www.memorywat...com/remove.aspx

They may not fully work, but worth a shot.

Post another hijackthis log when done.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 computer help

computer help

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 12 June 2004 - 01:37 PM

Hi,

We have been on vacation so I am just now getting a chance to work on this again.....

Bad news. Only one thing that I have tried from the last stuff you sent is working.

I can't find any files named downloader.exe, searchpage.html, autoupdate folder, IEHost.exe, dp-him.exe

I was able to show the hidden files and delete them.

I did not find ppcost.exe

When I went to memorywatcher.com/removexaspx I was able to download the program but my computer will not let me open it so that I can remove the file.

Here is my latest hijack this log.....

Let me know what you think....THANKS!

Logfile of HijackThis v1.97.7
Scan saved at 1:37:17 PM, on 6/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8132.6382175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button