Jump to content


Photo

about:blank - apitrap.dll


  • Please log in to reply
11 replies to this topic

#1 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 May 2004 - 03:10 PM

Hello forum

I have the about:blank hijack scenario on my browser. I have read the postings regarding removing the hidden .dll file.

I have downloaded and run Spybot S&D, CWShredder

My discoveries are this:-

1. I have downloaded and run reglite.

2. The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion\Windows\\AppInit_DLLs setting is ‘apitrap.dll’

3. My laptop also has the same registry key setting so I am unsure as to if I can delete the ‘hidden file’ as per the instructions posted at http://www.spywarein...showtopic=43492

Hi Hijack Log
Logfile of HijackThis v1.97.7
Scan saved at 20:55:37, on 24/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\Pelmiced.exe
C:\WINDOWS\System32\EXSHOW.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Norton CleanSweep\csinsmnt.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Network Associates\PGP60\PGPtray.exe
C:\VSTASCAN\vsaccess.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Tim Arnold\My Documents\HijackThis.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Tim Arnold\Application Data\Mozilla\Profiles\default\rrbelzgk.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {B27A7FD6-FFF8-465A-93CD-C98E4F4D0AAD} - C:\WINDOWS\mrhop.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ussshreg] C:\PROGRA~1\ULEADW~1.0\Ussshreg.exe /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP60\PGPtray.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\RealDownload.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpa: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7885.2225925926
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39D781A7-8150-486D-954C-B7D6B7E110F7}: NameServer = 195.92.195.94 195.92.195.95

Edited by timbo, 25 May 2004 - 05:35 AM.


#2 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 May 2004 - 05:42 AM

Bump for help plz

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 06:31 AM

There is a valid apitrap.dll.
Search for it on the affected box, and see whether it
can be found!
RightClick and post back what is listed in properties.

Download:
http://freeatlast.10...om/Find-All.zip
*UNzip!

DoubleClick on the 'Find-All.cmd' file,
follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 May 2004 - 06:41 AM

Thanks, but what did u mean by

Search for it on the affected box, and see whether it can be found!

RightClick and post back what is listed in properties.

#5 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 May 2004 - 07:06 AM

ty for your help

apitrap.dll is not hidden and can be found in the system32 folder

OUTPUT.TXT file follows ...............

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 12:53:26 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4841:A6AD) - FS:NTFS clusters:4k
Total: 120 015 024 128 [112G] - Free: 107 192 053 760 [100G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q822925;Q828750;Q824145;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
12:53am up 0 days, 2:55

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
616 smss.exe
672 csrss.exe Title:
712 winlogon.exe Title: NetDDE Agent
768 services.exe Svcs: Eventlog,PlugPlay
780 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
956 svchost.exe Svcs: RpcSs
1088 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,HidServ,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedu
e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them
s,TrkWks,upl
1220 svchost.exe Svcs: Dnscache
1252 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1432 spoolsv.exe Svcs: Spooler
1540 alg.exe Svcs: ALG
1560 cisvc.exe Svcs: CiSvc
1576 dcfssvc.exe Svcs: Dcfssvc
1648 NAVAPSVC.EXE Svcs: navapsvc
1720 nvsvc32.exe Svcs: NVSvc
2020 explorer.exe Title: Program Manager
328 svchost.exe Svcs: stisvc
684 nutsrv4.exe Svcs: NuTCRACKERService
1136 ntvdm.exe Title: Cleansweep WOW Smart Sweep
1592 soundman.exe Title: ALSMTray
1672 NAVAPW32.EXE Title: Norton AntiVirus
1780 exshow95.exe Title:
1856 carpserv.exe
1872 ico.exe Title: Daemon Spy
1884 PELMICED.EXE Title: MS98 Daemon
1908 realplay.exe Title:
1916 exshow.exe Title:
1980 MemScanner.exe Title: MemScanner
2012 wcescomm.exe Title: DccMan
2032 mnyexpr.exe Title: Money Express - Microsoft Money
124 OCRAWR32.EXE Title:
156 backWeb-8876480.DDE Server WindowTitle: DDE Server Window
280 csinsmNT.exe Title: CleanSweep Smart Sweep/Internet Sweep
288 EasyShare.exe Title:
316 backWeb-7288971.Kodak Software Updater AgentTitle: Kodak Software Updater Agent
500 PGPtray.exe Title: PGPtray_Hidden_Window
1316 vsaccess.exe Title: UMAX VistaAccess
2876 winmysqladmin.exeTitle: e
3052 mysqld-nt.exe Svcs: MySql
2556 cidaemon.exe Title: OleMainThreadWndName
3224 OUTLOOK.EXE Title: Inbox - Microsoft Outlook
1956 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3840 ntvdm.exe
3404 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="apitrap.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D47EE9D3-9A60-4F27-81C5-5EC8A0DF62E8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{3B16C8B3-1CF5-4321-A1C3-C6CCC795D825}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{3B16C8B3-1CF5-4321-A1C3-C6CCC795D825}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»ACLs list:
C:\junk BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
OWNER-GE9LRFQ1B\Tim Arnold:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 12:53:29 2004 -- ++Find-All 'Windows'.hiv list:
A C:\find\Find-All\winBackup.hiv
A C:\find\Find-All\windows.txt
A C:\FindallwinBackup.hiv

***Next Registry run should this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



Edited by timbo, 25 May 2004 - 07:11 AM.


#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 07:06 AM

Go to Start>search, type:
apitrap.dll

When/if found, RightClick on the found file , And
from Windows explorer's context menu, conveniently
select the "properties" menu, which will/should present
more info about the nature of the file, it's exact
location, and the company .

Follow the next step above and post the log.

P.S.
If I were you, I'd plug apitrap.dll to Google's search and consider dumping it... :ph34r:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 07:13 AM

Thanks, you have a delicate problem there...
Because of CleanSweep's apitrap.dll,
your villain (hidden) file may be lurking elsewhere.

Inside the 'Find-All' folder should be text file
named, 'windows.txt'.

I think you won't be able to post the characters on this
board's format,.

Click on my signature and submit the 'windows.txt'
file by clicking on the 'email this' icon.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 May 2004 - 07:17 AM

apitrap.dll is signed by symantec!!!

#9 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 May 2004 - 07:30 AM

freeatlast - file sent

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 08:15 AM

I know apitrap.dll is symantec's product, as
mentioned part of CleanSweep!

You'd have to disable it all together.
Check in your Symantec docs for instructions.

I won't be able to~w00ps~ advise about anything to do
with 7~engines-Norton~Bloatware :ph34r: , but
instructions here pertain to old version of CS:
ftp://ftp.symantec.com/public/english_us_...tes/apitrap.txt

In any case, the presence of both
dlls in the same key *could* hide
the villain even better.

As soon as I'l recieve your file, I'll
figure out the best course of action.

Stay put ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 10:15 AM

I didn't recieve any file.
Hopefully it was zipped. you can't paste such text.

Based on your input and facts, here are my cutrrent suggestions:
First, following Symantec's advise, find a way to disable CS.

Open reglite into the 'Windows' key.
RightClick>export, name it: "Winbackup.reg"
(keep the standard reg4 type) and save it in a
safe place like "my documents".

Next, Try first to delete the "Apitrap.dll' data/value
in the AppInit_Dlls value.
Restart computer.
Rename apitrap.dll=apitrap.old in System32.

Go back to the key, and delete the
entire "AppInit_Dlls" value there.
Check if the value comes back, *empty...
, --if not, you don't have the same problem!
(Wait a few hours and restore the value by Clicking on the
reg file you saved; rename back
apitrap.old as dll, restart computer!))

--If it does, that means you're infected...

Obviously you do realize trhat apitrap is not the
problem here, but another hidden file!
Unfortunately apitrap is using same location,
and as opposed to it's noble goals, it
just gets in the way!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@22
EDIT:
just took another look at your hijackthis
log and definitely you DON'T have the same problem!

*res://C:\WINDOWS\mrhop.dll/sp.html

This bho is in windows!
All infected users have it in System/32, etc!
Your find-all log didn't show any *locked files!

FIX:
Restart in safe mode and delete:
mrhop.dll
Run shredder in safe mode.
Run Ad-Aware6, all links in the FAQS!
Fix the lines in ht with 'res://C:\WINDOWS\mrhop.dll/sp.html , etc, reset home page to defaults, thats it!

Good luck!

Edited by freeatlast, 25 May 2004 - 10:26 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 timbo

timbo

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 May 2004 - 04:46 AM

freeatlast

your are a genius - thanks, your fix worked!!!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button