Jump to content


Photo

about:blank and popups


  • This topic is locked This topic is locked
8 replies to this topic

#1 judochop27

judochop27

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 02:32 AM

My IE browser is constantly getting hijacked. I get taken to Coolwebsearch pages and get a lot of popups. My homepage changes to About:Blank all the time.
Running CWShredder and Ad-aware temporarily solve the problem, but running Internet Explorer for a bit always brings the problems back. Spybot S&D doesnt really find anything. When I try to update CWShredder, the attempt at the first site always fails, and the second one works.

Below is my log file from HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 11:36:32 AM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SERVICES.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=C:\WINDOWS\SERVICES.EXE
F1 - win.ini: run=C:\WINDOWS\SERVICES.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [avicap32] C:\WINDOWS\System32\avicap32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinter...up/RiffLick.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab


Any help is appreciated, thanks.
-jim

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 02:53 AM

You have a few problems there!
I suggest you restart in Safe mode and have hijackthis fix checked all the following:


F1 - win.ini: load=C:\WINDOWS\SERVICES.EXE
F1 - win.ini: run=C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [P2P Networking]
C:\WINDOWS\System32\P2P Networking\
P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab


In Add/remove programs, uninstall: 'P2P Networking'
Then, delete:
C:\WINDOWS\System32\P2P Networking< folder
C:\WINDOWS\SERVICES.EXE< virus!
**Only from that location! (Don't confuse with 'services.exe'
in System32 which is legitimate file!)

Details:
http://www.sophos.co...rojlegmire.html

When done with the above, download and *UNzip:
http://freeatlast.10...om/Find-All.zip

DoubleClick on the "Find-All.cmd" file,
follow instructions and post the log!

Edited by freeatlast, 25 May 2004 - 03:29 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 judochop27

judochop27

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 04:25 AM

I followed your directions, except there was not a C:\WINDOWS\System32\P2P Networking<folder

Here's the FIND-ALL log
thanks

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 02:19:53 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4440:EAC2) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 40 534 151 168 [38G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;Q818529;Q813951;Q330994;Q822925;Q828750;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:


»»PC uptime:
2:19am up 0 days, 0:07

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
572 SMSS.EXE
640 CSRSS.EXE Title:
664 WINLOGON.EXE Title: NetDDE Agent
728 SERVICES.EXE Svcs: Eventlog,PlugPlay
740 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
952 SVCHOST.EXE Svcs: RpcSs
1076 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,
eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload
gr,w32time,w
1292 SVCHOST.EXE Svcs: Dnscache
1356 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1500 SPOOLSV.EXE Svcs: Spooler
328 EXPLORER.EXE Title: Program Manager
488 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
500 DSentry.exe Title: DVDSentry
516 conmgr.exe Title: Connection Manager
544 Support.exe Title: Support
552 hpztsb05.exe Title:
564 hphmon04.exe Title: HP Photosmart Printer Series
608 hpgs2wnd.exe Title: HPGS2WND_WINDOW
764 Directcd.exe Title: DirectCD
340 ybrwicon.exe Title:
844 Navapw32.exe Title: Norton AntiVirus
1040 qttask.exe Title: QTPlayer Tray Icon
1048 iTunesHelper.exeiTunes HelperTitle: iTunes Helper
1092 CISVC.EXE Svcs: CiSvc
1096 realsched.exe Title: Notification Wnd for RNAdmin
1320 MSMSGS.EXE Title:
1384 aim.exe Title: Sign On
1440 NotifyAlert.exe Title: WindowsFormsParkingWindow
1596 ycommon.exe Title: OleMainThreadWndName
1608 hpgs2wnf.exe Title: OleMainThreadWndName
1740 DLG.exe Title: Digital Line Detection
1744 dcfssvc.exe Svcs: Dcfssvc
1904 BHODemon.exe Title: BHODemon
1944 gearsec.exe Svcs: GEARSecurity
176 Navapsvc.exe Svcs: navapsvc
248 nvsvc32.exe Svcs: NVSvc
2124 hphipm11.exe Svcs: Pml Driver HPH11
2160 iPodService.exe Svcs: iPodService
3408 wuauclt.exe Title: Auto Update Client Window
1940 Filzip.exe Title: Filzip
3152 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3212 NTVDM.EXE
3504 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»ACLs list:
C:\junk BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
MARY\Jim:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA


ERROR: There are no more files.
»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 02:19:58 2004 -- ++Find-All 'Windows'.hiv list:
A C:\DOCUME~1\Jim\Desktop\Find-All\winBackup.hiv
A C:\DOCUME~1\Jim\Desktop\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 06:20 AM

Ok.

Download the 'Find-All' again!
I just updated it to include something else.

You don't have to run the whole thing again, simply
-DoubleClick on the included "LastKey.reg" file,
hit 'yes on the prompt!

It should set your registry to open directly on this key:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ CTL.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junk folder.
(It was created during first 'Find-All' run)
'ok' it.

--Re-run Find-All.cmd and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 judochop27

judochop27

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 01:47 PM

Cool, i did everything, here's the Find-All output


--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 11:42:31 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4440:EAC2) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 40 500 158 464 [38G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;Q818529;Q813951;Q330994;Q822925;Q828750;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:


»»PC uptime:
11:42am up 0 days, 0:13

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junk\CTL.DLL


»»Tasks (services):
0 System Process
4 System
572 SMSS.EXE
640 CSRSS.EXE Title:
664 WINLOGON.EXE Title: NetDDE Agent
708 SERVICES.EXE Svcs: Eventlog,PlugPlay
720 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
892 SVCHOST.EXE Svcs: RpcSs
1004 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,
eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload
gr,w32time,w
1228 SVCHOST.EXE Svcs: Dnscache
1240 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1376 SPOOLSV.EXE Svcs: Spooler
164 EXPLORER.EXE Title: Program Manager
248 CISVC.EXE Svcs: CiSvc
292 dcfssvc.exe Svcs: Dcfssvc
316 gearsec.exe Svcs: GEARSecurity
348 Navapsvc.exe Svcs: navapsvc
416 nvsvc32.exe Svcs: NVSvc
1148 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
1152 DSentry.exe Title: DVDSentry
1140 conmgr.exe Title: Connection Manager
1180 Support.exe Title: Support
1192 hpztsb05.exe Title:
1208 hphmon04.exe Title: HP Photosmart Printer Series
1236 hpgs2wnd.exe Title: HPGS2WND_WINDOW
1304 Directcd.exe Title: DirectCD
1324 ybrwicon.exe Title:
1260 NotifyAlert.exe Title: WindowsFormsParkingWindow
1156 Navapw32.exe Title: Norton AntiVirus
1464 qttask.exe Title: QTPlayer Tray Icon
1472 iTunesHelper.exeiTunes HelperTitle: iTunes Helper
1484 realsched.exe Title: Notification Wnd for RNAdmin
1520 MSMSGS.EXE Title:
1528 aim.exe Title: Sign On
1588 ycommon.exe Title: OleMainThreadWndName
1716 hpgs2wnf.exe Title: OleMainThreadWndName
1744 DLG.exe Title: Digital Line Detection
1828 BHODemon.exe Title: BHODemon
960 iPodService.exe Svcs: iPodService
792 hphipm11.exe Svcs: Pml Driver HPH11
2728 wuauclt.exe Title: Auto Update Client Window
3744 CIDAEMON.EXE
3764 CIDAEMON.EXE Title: OleMainThreadWndName
4048 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
4076 NTVDM.EXE
2368 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access MARY\Jim
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access MARY\Jim


»»ACLs list:
C:\junk BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
MARY\Jim:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA


C:\junk\ctl.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
MARY\Jim:F
BUILTIN\Users:R


»»Contents of file(s) in 'junk' folder:
ctl.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 ctl.dll

57344 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junk\ctl.dll> Size-32 : 0000E000 CRC-32 : D5C9FB2E GHash-32-5 : 26115E2D GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488 E89EDB26 3B623462 HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595 AAEF452A 3CD2FAB3 MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249 SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436 199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135 C8BECB6F 2DB242DA 5945C134 A7E3D9B9
Tue May 25 11:42:34 2004 -- ++Find-All 'Windows'.hiv list:
A C:\DOCUME~1\Jim\Desktop\Find-All\winBackup.hiv
A C:\DOCUME~1\Jim\Desktop\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 02:28 PM

Wonderful! ;)

Next,
Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junk\*.dll moved file
*Create zipped copy in the same folder: "junk.zip"
*Open your email client with given address for submission!

--Drag the 'junk.zip' and submit the
attchchment to the specified address, ! , thanks ;)

When done, Delete the "junk.zip"
as well as the "junk" folder in
C:\

--Re-run Find-All.cmd and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 judochop27

judochop27

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 08:02 PM

Ok, did that. Here's the output

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 18:00:40 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4440:EAC2) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 40 488 202 240 [38G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;Q818529;Q813951;Q330994;Q822925;Q828750;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:


»»PC uptime:
6:00pm up 0 days, 0:13

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
576 SMSS.EXE
644 CSRSS.EXE Title:
668 WINLOGON.EXE Title: NetDDE Agent
712 SERVICES.EXE Svcs: Eventlog,PlugPlay
724 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
912 SVCHOST.EXE Svcs: RpcSs
1012 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w
2time,winmgm
1232 SVCHOST.EXE Svcs: Dnscache
1296 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1412 SPOOLSV.EXE Svcs: Spooler
1968 CISVC.EXE Svcs: CiSvc
1984 dcfssvc.exe Svcs: Dcfssvc
2008 gearsec.exe Svcs: GEARSecurity
2044 Navapsvc.exe Svcs: navapsvc
164 nvsvc32.exe Svcs: NVSvc
1268 EXPLORER.EXE Title: Program Manager
1552 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
1564 DSentry.exe Title: DVDSentry
1572 conmgr.exe Title: Connection Manager
1604 hpztsb05.exe Title:
1612 hphmon04.exe Title: HP Photosmart Printer Series
1628 hpgs2wnd.exe Title: HPGS2WND_WINDOW
1636 Directcd.exe Title: DirectCD
1644 NotifyAlert.exe Title: WindowsFormsParkingWindow
1656 ybrwicon.exe Title:
1680 Navapw32.exe Title: Norton AntiVirus
1712 qttask.exe Title: QTPlayer Tray Icon
1720 iTunesHelper.exeiTunes HelperTitle: iTunes Helper
1740 realsched.exe Title: Notification Wnd for RNAdmin
1772 MSMSGS.EXE Title:
1788 ycommon.exe Title: OleMainThreadWndName
1800 aim.exe Title: Sign On
1804 hpgs2wnf.exe Title: OleMainThreadWndName
464 iPodService.exe Svcs: iPodService
648 DLG.exe Title: Digital Line Detection
728 BHODemon.exe Title: BHODemon
1624 hphipm11.exe Svcs: Pml Driver HPH11
2808 wuauclt.exe Title: Auto Update Client Window
3956 ybrowser.exe Title: SWI Forums -> about:blank and popups
2580 CIDAEMON.EXE
2368 CIDAEMON.EXE Title: OleMainThreadWndName
3064 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3060 NTVDM.EXE
3624 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»ACLs list:
C:\junk BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
MARY\Jim:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA


ERROR: There are no more files.
»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 18:00:44 2004 -- ++Find-All 'Windows'.hiv list:
A C:\DOCUME~1\Jim\Desktop\Find-All\winBackup.hiv
A C:\DOCUME~1\Jim\Desktop\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 05:24 AM

Perfect, you're all set! ;)

Rescan With Ad-Aware now, make sure to run full
system scan and apply latest updates first!
(reference file (01R310 23.05.2004) )

Then re-run Shredder.
Rest your preferred home page when done.

Good luck!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 10:58 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button