• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
computer help

Can you please check our log?

14 posts in this topic

Hi,

 

Our computer was hyjacked over 2 weeks ago. We have followed all of the directions on this web page but we still think there is some stuff that we can't get rid of. We have run Adware, Spybot, cwshredder, and Hyjack this. Below is the computer log from Hyjack this. There are 2 things that we don't think should be there but it won't let us remove them. I have 2 logs-one from the other night and one from today.

 

I forgot to mention that the current web page that keeps coming up is about.blank. It keeps re-installing itself even after we get rid of it. The original problem kept sending us to search.html

 

Thanks!

 

Logfile of HijackThis v1.97.7

Scan saved at 1:03:27 AM, on 5/23/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\WINNT\System32\PackethSvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINNT\System32\Cfxmt10.exe

C:\WINNT\System32\Nvr0A.exe

A:\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

O4 - HKLM\..\Run: [sAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\Gip2.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:00:36 AM, on 5/24/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\WINNT\System32\PackethSvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINNT\System32\Yvk4sD2.exe

C:\WINNT\System32\KpmfDx4d.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

A:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\pphgha.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {4417757B-E378-455D-BF54-B8AC4F368B3A} - C:\WINNT\System32\pphgha.dll

O4 - HKLM\..\Run: [sAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\VchsZQoq.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by computer help

Share this post


Link to post
Share on other sites

Hi,

 

We are still having the problems with about:blank becoming our homepage. CWshredder gets rid of it temporaily but it comes right back.

 

Thanks!

Share this post


Link to post
Share on other sites

Here it is...Thanks! I think I did it right but let me know if I didn't.

 

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--

 

 

Tue May 25 13:35:47 2004 -- ++Results:

»»System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (7CDB:4812) - FS:NTFS clusters:4k

Total: 20 538 490 880 [19G] - Free: 17 323 458 560 [16G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321017"=""

"ESB{156E0377-EEDA-414F-9C2D-FF3EFC54D680}"=""

 

 

»»Wmplayer version:

6.4.9.1109 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3234.0 C:\WINNT\System32\msjava.dll

 

 

»»PC uptime:

1:35pm up 0 days, 3:08

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINNT\System32\RESPJ.DLL +++ File read error

\\?\C:\WINNT\System32\RESPJ.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

8 System

144 smss.exe

168 csrss.exe Title:

164 winlogon.exe Title: NetDDE Agent

224 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi

236 lsass.exe Svcs: PolicyAgent,SamSs

404 svchost.exe Svcs: RpcSs

436 SPOOLSV.EXE Svcs: Spooler

472 nhksrv.exe Svcs: nhksrv

492 DefWatch.exe Svcs: DefWatch

516 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

552 Rtvscan.exe Svcs: Norton AntiVirus Server

628 regsvc.exe Svcs: RemoteRegistry

644 mstask.exe Svcs: Schedule

692 winmgmt.exe Svcs: WinMgmt

816 explorer.exe Title: Program Manager

988 VPTray.exe Title: Symantec AntiVirus Corporate Edition

1008 wcescomm.exe Title: DccMan

1024 msnmsgr.exe Title: Animated BMP Sequence

1264 JqvGn.exe Title:

1384 FeslA.exe Title:

1268 IEXPLORE.EXE Title: SWI Forums -> Can you please check our log? - Microsoft Internet Explorer

1068 cmd.exe Title: C:\WINNT\System32\cmd.exe

1364 ntvdm.exe

804 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFDE1BCF-9196-4AAB-9AC2-032C2E27C55B}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»ACLs list:

C:\junk Everyone:(OI)(CI)F

 

ERROR: There are no more files.

 

 

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Tue May 25 13:35:55 2004 -- ++Find-All 'Windows'.hiv .reg list:

A C:\MYDOWN~1\Find-All\winBackup.hiv

A C:\MYDOWN~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Yup! you did it right! '

Next,

Go to Start>run>type:

regedit

hit ok'

Regedit is set to open directly on this key:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

(*compare and be sure the path on the status

bar is same as indicated above!)

 

--"Windows" SubFolder should be hilited.

RightClick it >select> rename,

And rename Windows as Windows1

 

--Locate "AppInit_DLLs" value on the right

pane, RightClick it and select 'delete'

 

--Select the Windows1 on the left pane

again and rename it back to it's original

name: Windows

 

Use top regedit's menu view>refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

-Close regedit, *restart computer.

 

--Navigate to System32 folder, Search: RESPJ.DLL, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junk folder.

(It was created during first 'Find-All' run)

'ok' it.

 

--Re-run Find-All.cmd and post fresh output!

Share this post


Link to post
Share on other sites

Okay here is the latest......

 

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--

 

 

Tue May 25 15:05:04 2004 -- ++Results:

»»System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (7CDB:4812) - FS:NTFS clusters:4k

Total: 20 538 490 880 [19G] - Free: 17 321 144 320 [16G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321017"=""

"ESB{156E0377-EEDA-414F-9C2D-FF3EFC54D680}"=""

 

 

»»Wmplayer version:

6.4.9.1109 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3234.0 C:\WINNT\System32\msjava.dll

 

 

»»PC uptime:

3:05pm up 0 days, 0:13

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\junk\RESPJ.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

8 System

144 smss.exe

168 csrss.exe Title:

164 winlogon.exe Title: NetDDE Agent

216 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi

228 lsass.exe Svcs: PolicyAgent,SamSs

384 svchost.exe Svcs: RpcSs

412 SPOOLSV.EXE Svcs: Spooler

440 nhksrv.exe Svcs: nhksrv

456 DefWatch.exe Svcs: DefWatch

472 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

508 Rtvscan.exe Svcs: Norton AntiVirus Server

572 regsvc.exe Svcs: RemoteRegistry

588 mstask.exe Svcs: Schedule

632 winmgmt.exe Svcs: WinMgmt

752 explorer.exe Title: Program Manager

968 VPTray.exe Title: Symantec AntiVirus Corporate Edition

1004 wcescomm.exe Title: DccMan

1028 msnmsgr.exe Title: Animated BMP Sequence

1172 KpmfDx4d.exe Title:

1196 KpmfDx4d.exe Title:

692 IEXPLORE.EXE Title: SWI Forums -> Can you please check our log? - Microsoft Internet Explorer

908 cmd.exe Title: C:\WINNT\System32\cmd.exe

1188 ntvdm.exe

1204 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFDE1BCF-9196-4AAB-9AC2-032C2E27C55B}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{51A63B29-65A0-40F3-AC16-C9B6917AAAC6}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»ACLs list:

C:\junk Everyone:(OI)(CI)F

 

C:\junk\respj.dll Everyone:(special access:)

 

SYNCHRONIZE

FILE_EXECUTE

 

 

 

»»Contents of file(s) in 'junk' folder:

respj.dll

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

md5sums: Unable to open respj.dll

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

File: <C:\junk\respj.dll>

 

 

 

 

Tue May 25 15:05:06 2004 -- ++Find-All 'Windows'.hiv .reg list:

A C:\MYDOWN~1\Find-All\winBackup.hiv

A C:\MYDOWN~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Next,

Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junk\*.dll moved file

*Create zipped copy in the same folder: "junk.zip"

*Open your email client with given address for submission!

 

--Drag the 'junk.zip' and submit the

attachment to the specified address, ! , thanks ;)

 

When done, Delete the "junk.zip"

as well as the "junk" folder in C:\

 

--Re-run Find-All.cmd and post fresh output!

 

 

*Note:

This procedure will only get rid of the 'hidden' villain!

To repair all other issues you need

to scan with CWShredder and Ad-Aware!

Once this is gone, they should be able to

clean all the rest permanently!

Share this post


Link to post
Share on other sites

Okay I did all of that but I still don't think it is working. After I did as you instructed I ran Adware and CWShredder. I shut off the computer undid the internet connection and re-assigned my home page. After I clicked on the internet again it went to About:blank

 

Oh my goodness this thing is going to make me crazy!!!!

 

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--

 

 

Tue May 25 16:20:45 2004 -- ++Results:

»»System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (7CDB:4812) - FS:NTFS clusters:4k

Total: 20 538 490 880 [19G] - Free: 17 319 665 664 [16G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321017"=""

"ESB{156E0377-EEDA-414F-9C2D-FF3EFC54D680}"=""

 

 

»»Wmplayer version:

6.4.9.1109 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3234.0 C:\WINNT\System32\msjava.dll

 

 

»»PC uptime:

4:20pm up 0 days, 0:05

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

8 System

144 smss.exe

168 csrss.exe Title:

164 winlogon.exe Title: NetDDE Agent

216 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,Wmi

228 lsass.exe Svcs: PolicyAgent,SamSs

384 svchost.exe Svcs: RpcSs

412 SPOOLSV.EXE Svcs: Spooler

440 nhksrv.exe Svcs: nhksrv

456 DefWatch.exe Svcs: DefWatch

472 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

512 Rtvscan.exe Svcs: Norton AntiVirus Server

572 regsvc.exe Svcs: RemoteRegistry

588 mstask.exe Svcs: Schedule

632 winmgmt.exe Svcs: WinMgmt

756 explorer.exe Title: Program Manager

988 VPTray.exe Title: Symantec AntiVirus Corporate Edition

1004 wcescomm.exe Title: DccMan

1028 msnmsgr.exe Title: Animated BMP Sequence

1176 FeslA.exe Title:

1196 KpmfDx4d.exe Title:

1232 cmd.exe Title: C:\WINNT\System32\cmd.exe

1228 ntvdm.exe

1052 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB1D361F-6C3C-45A8-BA25-922D39D1F701}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»ACLs list:

C:\junk Everyone:(OI)(CI)F

 

ERROR: There are no more files.

 

 

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Tue May 25 16:20:46 2004 -- ++Find-All 'Windows'.hiv .reg list:

A C:\MYDOWN~1\Find-All\winBackup.hiv

A C:\MYDOWN~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

No, it worked perfectly! ;)

 

However Ad-Aware should have detected and removed these:

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{05D1B49C-7537-4E78-BAF1-3CE900F7C937}"

 

Both are related.

 

Leave them for now and just post fresh hijackthis log.

There are orphaned AboutBlank lines left behind ...

 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

EDIT:

Just spotted this on your log:

»»M$Java version:

5.0.3234.0 C:\WINNT\System32\msjava.dll

 

This version is ~5 years outdated, on

top of the fact that your IE is outdated as well!

DON'T expect any progress untill your next visit to:

http://windowsupdate.microsoft.com

 

Come back after you have applied:

*ALL recent security patches, including DCOM anf Java!

*IE6/SP1

*SP4 for Win2K

 

When you have completed all these tasks and

there are no updates left, repost your

hijackthis log!

 

Presumably you didn't update

ad-Aware as well, hence the leftovers!

Edited by freeatlast

Share this post


Link to post
Share on other sites

Okay I think I have done everything. Here is my latest Hijack Log. I knew we had outdated software but when I tried to fix it the other day it wouldn't let me. At least we got rid of most of it so it let me do it today. Thanks for still helping us even though we are computer dummies! We never even knew you could update Windows until a few days ago

 

This is going to sound like a really dumb question...but I will ask anyway. I can get free Windows Applications through work. If I want to update to Windows 2003 then what do I have to do to do that? Do I have to back up things that I currently have on the C drive (etc.) and then load it? Or can I just load it and it will transfer the files?

 

Also, we have Ad-aware 6.0 is this an old version?

 

FYI-I didn't delete anything from this most recent Hijack log.

 

Logfile of HijackThis v1.97.7

Scan saved at 6:33:04 PM, on 5/25/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINNT\System32\KpmfDx4d.exe

C:\WINNT\System32\JqvGn.exe

A:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\nipbka.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {BB1D361F-6C3C-45A8-BA25-922D39D1F701} - C:\WINNT\System32\nipbka.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [sAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\Gip2.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\ACMWrapperV2.dll"

O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\MediaPlayerV2.dll"

O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\driversV2.dll"

O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Cdbootable.dll"

O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdDataPS.dll"

O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdExtra.dll"

O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdmp3.dll"

O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\database.dll"

O4 - HKLM\..\RunOnce: [iSO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\ISO9660.dll"

O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Joliet.dll"

O4 - HKLM\..\RunOnce: [udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Udf.dll"

O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll"

O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Translator.dll"

O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\CDEngine.dll"

O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8132.6382175926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by computer help

Share this post


Link to post
Share on other sites

Thank you so much! :):):)

 

I think it is okay now.....can you look at my Hijack This log again to make sure?

 

Logfile of HijackThis v1.97.7

Scan saved at 7:40:13 PM, on 5/26/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe

C:\documents and settings\bill1\local settings\temp\IDvofAhAp.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\documents and settings\bill1\local settings\temp\Z5.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\downloader.exe

C:\WINNT\System32\Nvr0A.exe

C:\WINNT\System32\Yvk4sD2.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

A:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5AABF295-8D56-405D-907E-98AF1BF5AE0B} - C:\WINNT\System32\nipbka.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [sAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [5YSZS@Z3Q4WKH8] C:\WINNT\System32\KxrWgd1.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iDvofAhAp.exe] C:\documents and settings\bill1\local settings\temp\IDvofAhAp.exe

O4 - HKLM\..\Run: [Z5.exe] C:\documents and settings\bill1\local settings\temp\Z5.exe

O4 - HKLM\..\Run: [bakra] C:\WINNT\System32\IEHost.exe

O4 - HKLM\..\Run: [usmj33O] ppcost.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [downloader.exe] C:\downloader.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8132.6382175926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

cws problem is gone, but you have others and some new pests.

 

Fix check the following in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5AABF295-8D56-405D-907E-98AF1BF5AE0B} - C:\WINNT\System32\nipbka.dll (file missing)

O4 - HKLM\..\Run: [iDvofAhAp.exe] C:\documents and settings\bill1\local settings\temp\IDvofAhAp.exe

O4 - HKLM\..\Run: [Z5.exe] C:\documents and settings\bill1\local settings\temp\Z5.exe

O4 - HKLM\..\Run: [bakra] C:\WINNT\System32\IEHost.exe

O4 - HKLM\..\Run: [usmj33O] ppcost.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe

O4 - HKCU\..\Run: [downloader.exe] C:\downloader.exe

 

 

Restart your computer in safe mode.

Find and delete:

C:\(downloader.exe, searchpage.html) files

C:\Program Files\(AutoUpdate) folder

C:\WINNT\System32\(IEHost.exe, dp-him.exe) files

 

Go to:

C:\documents and settings\bill1 folder.

Click->tools/folder options/view

Check->show hidden files and folders.

'ok' it.

Open the 'Local Settings'\Temp< Subfolder.

Delete entire contents of temp folder.

 

Run a search on your drive

for: 'ppcost.exe', delete when/if found.

 

When done, follow the steps on this page, while being online:

http://www.memorywatcher.com/remove.aspx

 

They may not fully work, but worth a shot.

 

Post another hijackthis log when done.

Share this post


Link to post
Share on other sites

Hi,

 

We have been on vacation so I am just now getting a chance to work on this again.....

 

Bad news. Only one thing that I have tried from the last stuff you sent is working.

 

I can't find any files named downloader.exe, searchpage.html, autoupdate folder, IEHost.exe, dp-him.exe

 

I was able to show the hidden files and delete them.

 

I did not find ppcost.exe

 

When I went to memorywatcher.com/removexaspx I was able to download the program but my computer will not let me open it so that I can remove the file.

 

Here is my latest hijack this log.....

 

Let me know what you think....THANKS!

 

Logfile of HijackThis v1.97.7

Scan saved at 1:37:17 PM, on 6/12/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

A:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8132.6382175926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0