Jump to content


Photo

CWS about:blank keeps coming back


  • Please log in to reply
51 replies to this topic

#1 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 25 May 2004 - 08:50 PM

My homepage has been hijacked to some search engine in the cc domain and I
get a popup offering to install a spyware remover. I assume this is the
coolwebsearch hijacker frequently seen here. I tried ad-aware 6 with the
latest ref file and it gets to a clean log after two scan and reboot sequences,
but the home page gets rehijacked (I think after any search from the address
bar in IE). Been like this for about a week. I've been very careful to set the
full scan options lavasoft recommended

Also tried spybot and cwshredder. I don't think I let spybot do everything it
wanted as it was going to delete some stuff I knew was legit.

Random named files (like \WINNT\system32\eofe.dll/sp.html) keep showing
up in the registry.


Logfile of HijackThis v1.97.7
Scan saved at 5:59:28 PM, on 5/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\omwipe32.exe
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
*.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net


*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;

;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;sygate35.apps.hp.com;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Edited by AmazingRich, 25 May 2004 - 10:33 PM.


#2 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 25 May 2004 - 10:35 PM

I added some newlines to the logfile listing to keep it readable. They're all in ProxyOverride.

#3 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 26 May 2004 - 09:42 AM

BTW, has anyone figured out how the reinstall is being done? Should I just have HJT delete all the system32/eofe.dll/sp.html lines? I've gotten the impression from others that either they won't delete with HJT, or they come back again.

#4 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 26 May 2004 - 01:11 PM

about:blank is still coming back. New log follows...

Logfile of HijackThis v1.97.7
Scan saved at 11:08:34 AM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\omwipe32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net
*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s
gate35.apps.hp.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9D1A8D99-AC1D-45A6-AB76-3ADAD06F03E1} - C:\WINNT\system32\cnm.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

#5 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 26 May 2004 - 03:45 PM

I'm not complaining, just wondering whether I missed something important about how to get help. I posted my log yesterday and I haven't seen any responses. I've seen others here that get help right away. Was I supposed to do something else to get help?

#6 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 26 May 2004 - 03:46 PM

Please post a reply in your earlier thread to "bump" it to the top of the list.

Mods, please merge this thread with his previous one.
Signature file is under revision. This will be back shortly.

#7 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 26 May 2004 - 03:54 PM

Bump

#8 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 26 May 2004 - 05:50 PM

bump

#9 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 26 May 2004 - 09:18 PM

So this was probably a mistake,
but I ran dllfix and told it to "enter fix menu"
and "let program search for it". It continuously prints out
"Error: The system was unable to find the specified registry key or value"
I need to turn the computer off and go home. If I do that will it mess
anything up?

#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 26 May 2004 - 11:02 PM

Do Ctrl-Alt-Del and then Shutdown, if possible.
But powering off won't usually do any harm.

Your log is wild! I will see if we can get an expert to have a look.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#11 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 26 May 2004 - 11:14 PM

Hi there,

Lets start afresh. Lets follow the process below as it is said. Go slow and follow the instructions. We need a Find All log and the instructions below will say how we can get it.

Download this file from http://downloads.sub....org/dllfix.exe or http://tools.zerosrealm.com/dllfix.exe.

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
Post that log here.

[ Tutorial - http://forums.subrat...p?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]


Regards and Good luck

Edited by Subratam, 26 May 2004 - 11:33 PM.

http://blog.emsisoft.com
www.Emsisoft.com

#12 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 12:12 AM

HELP!! I'm desparate!

Before I run dllfix again and have it overwrite backup.hiv I've got to fix up my registry.

When I ran it before it got stuck trying to restore a hiv to "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows". This was after saving it off and deleting the original registry entry. Now I'm pretty sure that the registry entry is screwed up. It only has Appinit_Dlls, I think there should be more as it is looking for USERProcessHandleQuota later in the batch file. I tried restoring from the hiv but I get "Error: The system was unable to find the specified registry key or value".

What do I do? How do I fix up the registry and what does that key do? I'm afraid to reboot the system.

#13 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 01:45 AM

Help please

#14 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 27 May 2004 - 02:21 AM

Please do the steps I said just above. Download the file and do as stated.Just for your information, We have tested dllfix on our machines and me myself too. It wont screw your registry. Just follow the right steps.. and if you cannot understand follow the tutorial link I gave.

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#15 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 02:44 AM

Perhaps I wasn't clear. Some entries in my registry are gone, the only copy of them are in backup.hiv, I'd like to restore the registry before I worry about the hijacker and before I reboot.

I don't know about your machine, but on mine dllfix produced the same error message over and over again for a couple of hours and left HKLM\SOFTWARE
Microsoft\Windows NT\CurrentVersion\Windows with just AppInit_DLLs in it.
I'm pretty sure that it is supposed to have DeviceNotSelectedTimeout, GDIProcessHandleQuota, Spooler, swapdisk, TransmissionRetryTimeout, and USERProcessHandleQuota in it, which it does not.

Trying to restore the backup hive into CurrentVersion\Windows results in an error when I use the Reg program. Maybe some process is holding it open so that Reg can't do anything, I don't know.

I have been able to restore the hive into a new key "CurrentVersion\XXXWindows" with regedt32, but I haven't figured out how to do it to CurrentVersion\Windows yet.

Also I can't download anything to it (my laptop) tonight, it doesn't have an internet connection at home. I downloaded dllfix earlier today from one of the two sites you mentioned. So if I fix the registry I can run a recent copy of dllfix with option 1 as you suggest.

#16 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 27 May 2004 - 03:31 AM

I am looking at it and discussing with other helpers. Will get back to you.

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 07:04 AM

Ok lets get this restored. There was a slight error that may of caused this but it should be fixed now.

Ok in order to restore a hiv you first must create the key.

Copy the following to notepad that is in the quotebox.:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

Hit file/save as.

Give it the name of
restore.reg

under the name set file types to all types.

save it to the desktop.
Close notepad. After thats done double click the restore.reg

when asked to merge say yes.
That will put back the key.

Ok in order to restore the hiv.
you can put this in a bat file and put it in the same folder with the backup.hiv

Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv


again copy to notepad.
file/save as
restore.bat
file types to all file types.
save it to where there backup.hiv is

double click it to restore the hiv.
Warning this may put the infected file back in play.


That should bring everything back.

Let me know if more problems.
If you decided to try dllfix again please download a fresh copy of it.

Edited by shadowwar, 27 May 2004 - 07:07 AM.




#18 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 11:17 AM

Thanks for your help Shadowwar. Late last night I had restored the hive to XXXWindows and used it as a guide to recreate the registry entries by hand under Windows. My values now look like the ones in your first quote. I think the only thing that might still be wrong would be the permissions as I don't know what they should be set to. At this point should I:

Try to restore the hive to set the permissions correctly? Note that I tried your second quoted line (but before creating Spooler, etc by hand) and got errors so it may not work if I try it now.

Or should I try to fix the permissions by looking at XXXWindows and attempting to duplicate them by hand in Windows?

Or should I use the ACL listing from a run of ddlfix option 1 that I did a day or so ago?

I need to go into work to hook the infected computer to the internet and pick up a new ddlfix. I'll report back afterward.

#19 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 12:36 PM

ok.. well the hiv restore will restore the permissions to correct settings.
but may restore the infected appinit value too.
The best bet would be to restore the permissions from a day or two from the log. by hand.

Basically you have to uncheck inherited. Click copy.
Remove your name.



#20 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 03:43 PM

Shadowwar,

Rats, output.txt got overwritten. So I've lost the permissions from before the registry got changed. This is what they were before I unchecked inherited and clicked copy:

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

I tried restoring the hive, but I still get "Error: The system was unable to find the specified registry key or value". So I unchecked inherited and clicked copy. My name shows up in three places, under administrator, power users and users. Should I remove my name under users?

#21 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 07:40 PM

I'm not sure if the registry permissions are right or not. I did a dllfix and here is the log. It didn't find any locked or suspect files.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu 05/27/2004
5:29p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "E-Client" (E4D0:E84A) - FS:NTFS clusters:512
Total: 19 980 656 128 [19G] - Free: 3 142 786 048 [2.9G]


*IE version and Service packs:
5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP2;Q832894;Q837009;

*Google Toolbar version and Attributes:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
File not found - C:\Program Files\google\googletoolbar2.dll
A R C:\Program Files\google\GoogleToolbar1.dll

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Hewlett-Packard IE5.5-SP2"="IEAKHewlett-Packard"


*Wmplayer version:
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
5:29pm up 0 days, 0:17
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
201e0 1108 norm SysFader
10100 1640 norm VOLUME
100e4 1108 norm Fax Monitor
10042 1108 norm _Shell_TrayWnd
10018 220 high NetDDE Agent
1020a 1304 norm C:\WINNT\system32\cmd.exe
60140 1108 norm dllfix
101f8 1108 norm DDE Server Window
10122 1444 norm Adaptec Create CD
20156 408 norm Sygate Security Agent
10190 408 norm Log Viewer
2015a 1560 norm HpqCameraDetectMonitor
3013a 1708 norm HP Photosmart Printer Series
40108 1676 norm About WinZip Quick Pick
1011a 1684 norm Adaptec DirectCD Wizard
10110 1740 norm Symantec AntiVirus Corporate Edition
30104 1700 norm HPGS2WND_WINDOW
200e0 1536 idle motmon
100fe 1640 norm HP Extended Keyboard
100fa 1624 norm ATI Tray Icon Application
30074 1580 norm IDA Task
10086 1108 norm CSC Notifications Window
1007c 1108 norm Power Meter
10078 1108 norm Connections Tray
10076 1108 norm MS_WebcheckMonitor
4002a 1108 norm DDE Server Window
4001e 836 norm Scan
20030 836 norm ACTION
2002e 836 norm VPIPCLINK
2003a 992 norm SYSTEM AGENT COM WINDOW
10022 660 norm ATI video bios poller
70020 408 norm SS
1001a 220 high MM Notify Callback
1005a 1108 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{40F9A07A-6F2D-4352-843E-3FB6E6AE4D6C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2836ED5-FA51-4D15-B713-BECC44551997}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{330B110C-D720-4F2F-BBFC-89F87DA0E307}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{330B110C-D720-4F2F-BBFC-89F87DA0E307}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(CI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
(CI) ALLOW Read Everyone
(CI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(CI) ALLOW Full access NT AUTHORITY\SYSTEM
(CI) ALLOW Read BUILTIN\Users

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Full access BUILTIN\Administrators
Read Everyone
QWCEN-DS-- BUILTIN\Power Users
Full access NT AUTHORITY\SYSTEM
Read BUILTIN\Users




#22 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 07:55 PM

Shadowwar, Subratam,

I took a HJT log (scan only) after the dllfix. There is a file \WINNT\system32\nhp.dll, so even though dllfix didn't find any suspicious files, the hijacker reinstalled.


Logfile of HijackThis v1.97.7
Scan saved at 5:48:53 PM, on 5/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net
*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s
gate35.apps.hp.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40F9A07A-6F2D-4352-843E-3FB6E6AE4D6C} - C:\WINNT\system32\nhp.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

#23 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 07:18 AM

well that looks good on permissions.

Run adaware fully updated.

Please post a new findall log afterwards



#24 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 28 May 2004 - 08:22 PM

As far as I can tell dllfix looks good, but hjt still reports problems.
Here is what I've done.

Rebooted
Ran Ad-aware with latest ref file (01R311), fixed all and saved to log29
Ran dllfix find only and saved to "b"
Ran HJT scan only and saved to "7"
Rebooted
Ran dllfix find only and saved to "c"
Ran HJT scan only and saved to "8"
I saved all these logs if they're helpful.

Here is outputc.txt (after the reboot)
--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Fri 05/28/2004
5:53p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "E-Client" (E4D0:E84A) - FS:NTFS clusters:512
Total: 19 980 656 128 [19G] - Free: 3 148 318 720 [2.9G]


*IE version and Service packs:
5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP2;Q832894;Q837009;

*Google Toolbar version and Attributes:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
File not found - C:\Program Files\google\googletoolbar2.dll
A R C:\Program Files\google\GoogleToolbar1.dll

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Hewlett-Packard IE5.5-SP2"="IEAKHewlett-Packard"


*Wmplayer version:
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
5:53pm up 0 days, 0:15
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
201e0 1472 norm SysFader
100f0 1472 norm Fax Monitor
100ea 1524 norm VOLUME
2004a 1472 norm _Shell_TrayWnd
10016 196 high NetDDE Agent
7020e 1892 norm C:\WINNT\system32\cmd.exe
5014a 1472 norm dllfix
101f8 1472 norm DDE Server Window
2010a 1680 norm Adaptec Create CD
4015a 408 norm Sygate Security Agent
10192 408 norm Log Viewer
30148 1640 norm HP Photosmart Printer Series
10154 1616 norm HpqCameraDetectMonitor
20110 1700 norm About WinZip Quick Pick
1011c 1584 norm Adaptec DirectCD Wizard
1011a 1664 norm Symantec AntiVirus Corporate Edition
10108 1620 norm HPGS2WND_WINDOW
100ec 1488 idle motmon
100e8 1524 norm HP Extended Keyboard
100e2 1516 norm ATI Tray Icon Application
200de 736 norm IDA Task
10088 1472 norm CSC Notifications Window
1007e 1472 norm Power Meter
10074 1472 norm Connections Tray
10072 1472 norm MS_WebcheckMonitor
3004e 1472 norm DDE Server Window
1003c 828 norm Scan
1003a 828 norm ACTION
10038 828 norm VPIPCLINK
10034 952 norm SYSTEM AGENT COM WINDOW
10022 664 norm ATI video bios poller
70020 408 norm SS
1001a 196 high MM Notify Callback
3005c 1472 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2836ED5-FA51-4D15-B713-BECC44551997}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(CI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
(CI) ALLOW Read Everyone
(CI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(CI) ALLOW Full access NT AUTHORITY\SYSTEM
(CI) ALLOW Read BUILTIN\Users

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Full access BUILTIN\Administrators
Read Everyone
QWCEN-DS-- BUILTIN\Power Users
Full access NT AUTHORITY\SYSTEM
Read BUILTIN\Users




#25 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 28 May 2004 - 08:25 PM

hijackthis8.log. This is after running latest ad-aware and rebooting.

Logfile of HijackThis v1.97.7
Scan saved at 5:59:28 PM, on 5/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net
*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s
gate35.apps.hp.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

#26 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 08:43 PM

check and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)

post a new hjt log but that should be it.



#27 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 01 June 2004 - 01:59 PM

Shadowwar, thanks for sticking with me on this.

Checked the suggested entries in hjt and fixed them, rebooted, ran explorer (not IE), outlook, maybe some other stuff, all without connecting to the network. reran hijack this. All looked ok.
This morning I connected to the network, updated Ad-aware to 01R312 30.05.2004, scanned and it found about 10 problems. About 6 were the random dll in system32, but now with a different name. I had ada fix them, rebooted, then ran HJT. HJT still sees the same (the ones ada claimed to fix) dlls.

Not sure where to go from here other than to point out that something is reinstalling the registry entries and nothing so far has found it.

Here is the latest HJT log
Logfile of HijackThis v1.97.7
Scan saved at 11:44:27 AM, on 6/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Emacs\emacs-20.7\bin\emacs.exe
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net
*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s
gate35.apps.hp.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

#28 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 02 June 2004 - 05:14 PM

Tried latest dllfix and now it's looping forever. For some reason regedit isn't able to delete the Windows key....hold on. When I go into regedit32 and delete the Windows key it come right back!! Weird. Does that mean it isn't really being deleted, or than something is putting it right back?

#29 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 02 June 2004 - 05:24 PM

Ah, ha! Something is adding the AppInit_DLLs back. I can add and delete other entried in Windows (such as DeviceNotSelectedTimeout), but if I delete Windows or AppInit_DLLs it doesn't go away.

#30 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 05:36 PM

Whoa. its putting the whole key back? if you rename windows to something like notwindows the windows comes back?
Do you have your windows cd?



#31 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 02 June 2004 - 06:43 PM

Ok, let's try that. When I rename Windows to WindowsZZZ and refresh there is a new Windows with just AppInit_DLLs and a WindowsZZZ with the usual seven keys.
[edit: no I don't have the CD, system was installed by the IT department]

Edited by AmazingRich, 02 June 2004 - 06:44 PM.


#32 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 02 June 2004 - 08:17 PM

I've got IRC working now, if that helps.

#33 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 07:40 AM

Hmm ok.. lets try something here. I assume you have full admin rights?

I will be in chat around 6pm edt usa.

Load up regedt32 and navigate by double clicking the folders in the left pane to the windows key

right click it and hit permissions.( you may have to do it from the top menu bar. )

Uncheck inherit if there.

Remove all the listings for permissions. So nothiing is listed there.

The key should then show nothing in the right pane( the appinit should disappear) after you ok the way out of the permissions box. If it does reboot leaving regedt32 open.

After the reboot check and see if the file showing suspect or locked in the find all log is visible.
If it is create a folder somewhere.

What you want to do is select the file once by clicking it then select edit/move to folder and move it to the folder you created.

Than right click that folder itself with the file you moved to it.
Hit the security/permissions tab. Hit the advanced button.
Click reset permissions on all child objects.
That should reset the permissions on the file.

Than PLEASE email me a copy zipped. This seems like a new variant as most dont put back the whole windows key.


Click here to email!

cheers. I also may be in chat throughout the day sporadically.



#34 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 03 June 2004 - 11:59 AM

More interesting facts:
svchost.exe "has generated errors and will be closed by windows" this morning.

As you recall I've been fiddling with the registry a bit, so I'm not sure of what state the permissions are in. Without following your instructions I am able to see the dll and capture a copy of it. It has the same md5 sig as one in your second.bat file (0758CF...)and has the string "moving companies" in it. I should be able to try your instructions later today.

I might be able to find a windows cd around somewhere, also my system offers to run a recovery console every boot.

I think I might be away from the computer starting around 6pm edt today.

dllfix option 1 (findall) never finds any locked files on my system.

I'm able to clean the registry and delete the random dll file (via adaware) and it appears clean as long as I'm not connected to the network. When I connect to the network and run ie and outlook the search page registry entries come back. Cracking open the random dll I see the string "SYSTEM\CurrenControlSet\Services\Tcpip\parameters". Is there a way to check that it hasn't dropped a bad network protocol module in that is reinfecting me?

You said "most don't put back the whole windows key". I'm not sure what's a key and what's not and I may have given a confusing description of what's goin on ealier. It appears to be putting back Windows and AppInit_DLLs under it and perhaps a hidden value to AppInit_DLLs (not sure), but isn't creating the other 6 or so keys (or values, I guess I don't know the difference). Hope that clears it up.

#35 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 03 June 2004 - 12:14 PM

More interesting facts:
svchost.exe "has generated errors and will be closed by windows" this morning.

As you recall I've been fiddling with the registry a bit, so I'm not sure of what state the permissions are in. Without following your instructions I am able to see the dll and capture a copy of it. It has the same md5 sig as one in your second.bat file (0758CF...)and has the string "moving companies" in it. I should be able to try your instructions later today.

I might be able to find a windows cd around somewhere, also my system offers to run a recovery console every boot.

I think I might be away from the computer starting around 6pm edt today.

dllfix option 1 (findall) never finds any locked files on my system.

I'm able to clean the registry and delete the random dll file (via adaware) and it appears clean as long as I'm not connected to the network. When I connect to the network and run ie and outlook the search page registry entries come back. Cracking open the random dll I see the string "SYSTEM\CurrenControlSet\Services\Tcpip\parameters". Is there a way to check that it hasn't dropped a bad network protocol module in that is reinfecting me?

You said "most don't put back the whole windows key". I'm not sure what's a key and what's not and I may have given a confusing description of what's goin on ealier. It appears to be putting back Windows and AppInit_DLLs under it and perhaps a hidden value to AppInit_DLLs (not sure), but isn't creating the other 6 or so keys (or values, I guess I don't know the difference). Hope that clears it up.

#36 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 03 June 2004 - 01:22 PM

Looking into the hive, and guessing how to read unicode, I see that AppInit_DLLs is C:\:mmtaky.tsk. The only *.tsk search on my system finds are mmtask.tsk in winnt\system and winnt\system32.

#37 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 01:50 PM

can you post the windows.txt here?

Also the nasty dll that usually infects appinit doesnt put back windows after you rename it.. We may be dealing with something else then.



#38 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 03 June 2004 - 03:52 PM

regf       
O   N ?!Hd Y

 

 ?!H ?

7 
PX"H< ?
 
 
m!  Q$7Hd m?_  
N   ` `? \7Hd m?_ 

P   n 0 tH b_  
2D 7= hbin   nk, ?e)D  P x 0  4  Windows(skx x        ?    
 ?              #  ?         !      p   8 h   vk     y AppInit_DLLs C : \ : m m t a k y . t s k Filesvk     DeviceNotSelectedTimeout1 5 %New vk  '   GDIProcessHandleQuotaD06F03E1} vk  X   Spooler y e s v%vk    swapdiskvk      TransmissionRetryTimeout9 0 %(z%W v%vk  '    USERProcessHandleQuota
      9                                          O                                           

       
       
       ee               

#39 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 03 June 2004 - 04:31 PM

Looks like I'm going to have to yank the cord before crucialads finishes. So far it's printed:
Beginning Scan of Local NTFS (C:)
Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

If there's more, I'll post later.

#40 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 03 June 2004 - 04:36 PM

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif

#41 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 04 June 2004 - 03:51 PM

Here is the complete log:
Beginning Scan of Local NTFS (C:)
Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\all_California_Oakland_big.jpg
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\all_California_Oakland_big.jpg
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\bay area bridges.jpg
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\bay area bridges.jpg
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\chesscafe_tactices4beg.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\chesscafe_tactices4beg.gif
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsop.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsop.gif
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsx.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsx.gif
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\modernop.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\modernop.gif
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\queensop.gif
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\queensop.gif
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\redwood-city-chart.jpg
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\redwood-city-chart.jpg
!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\Sample.jpg
!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\Sample.jpg
!!! ADS FOUND !!! Name=: a meta-analysis.pdf:$DATA File=C:\Documents and Settings\rhv\My Documents\RICHV 5700\Fitness\Long-term weight-loss maintenance
Warning: Open File Failed for C:\Documents and Settings\rhv\ntuser.dat
Warning: Open File Failed for C:\Documents and Settings\rhv\NTUSER.DAT.LOG
Warning: Open File Failed for C:\\hiberfil.sys
Warning: Open File Failed for C:\\pagefile.sys
Warning: Open File Failed for C:\\System Volume Information
Warning: Open File Failed for C:\WINNT\system32\config\DEFAULT
Warning: Open File Failed for C:\WINNT\system32\config\default.LOG
Warning: Open File Failed for C:\WINNT\system32\config\SAM
Warning: Open File Failed for C:\WINNT\system32\config\SAM.LOG
Warning: Open File Failed for C:\WINNT\system32\config\SECURITY
Warning: Open File Failed for C:\WINNT\system32\config\SECURITY.LOG
Warning: Open File Failed for C:\WINNT\system32\config\SOFTWARE
Warning: Open File Failed for C:\WINNT\system32\config\software.LOG
Warning: Open File Failed for C:\WINNT\system32\config\SYSTEM
Warning: Open File Failed for C:\WINNT\system32\config\SYSTEM.ALT
Warning: Open File Failed for C:\WINNT\system32\Perflib_Perfdata_404.dat

#42 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 08 June 2004 - 03:45 PM

Can someone please help? It's now installing applications on my system.
It's getting to the point where I will have to format and reinstall Windows.

#43 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 08 June 2004 - 07:45 PM

bump

#44 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 08 June 2004 - 10:47 PM

Tried killbox on C:\:mmtaky.tsk. I understand it should put the file in a submit folder? Didn't see one. Didn't see any *.tsk files except for three copies of mmtsk.tsk(sp?), anyway different spelling.

Tried booting ntfs reader from CD and looked at c:\ c:\winnt and c:\winnt\system. Didn't see anything like :mmtaky.tsk.

I'm now doing a search from the ntfs program for *.tsk. So far just the three mmtsk.tsk files. Ok, its done. No mmtaky.tsk.

So let's summarize what we know:
1) When we delete the Windows key it comes back along with ApInitDLLs.
2) A hive of the ApInitDLLs shows C:\:mmtaky.tsk
3) Can't see a :mmtaky.tsk file anywhere on the disk even if we boot off a cd image and use a dos based ntfs reader.
4) Cleaning up the registry entries of the random dlls, etc with adaware makes it appear that everything is clean, but the home page highjack comes back.
5) Now a casino program icon has installed itself on the desktop and in a programs\ folder and is starting up on boot. It's window is always-on-top so I can't see my work.

#45 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 09 June 2004 - 01:45 AM

Ran adaware with latest ref file and custom scan.
Here's the hjt (BTW, no njheo.dll visable via explorer)

Logfile of HijackThis v1.97.7
Scan saved at 11:28:20 PM, on 6/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net
*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s
gate35.apps.hp.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

#46 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 09 June 2004 - 01:48 AM

Download this file from http://downloads.sub....org/dllfix.exe .

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
Post that log here.

[ Tutorial - http://forums.subrat...p?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#47 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 09 June 2004 - 02:10 AM

Done. Here is the output.txt log

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Wed 06/09/2004
12:01a

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "E-Client" (E4D0:E84A) - FS:NTFS clusters:512
Total: 19 980 656 128 [19G] - Free: 3 051 783 680 [2.8G]


*IE version and Service packs:
5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINNT\system32\notepad.exe
5.0.2140.1 C:\WINNT\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP2;Q832894;Q837009;



Locked or 'Suspect' file(s) found...


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#48 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 09 June 2004 - 07:54 PM

My \winnt directory has a filename with unicode characters that "can't be converted to character set default".
That can't be good.

#49 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 10 June 2004 - 04:17 PM

dllfix is not gonna help in this case. we need to get the mmtasy.tsk file somehow.



#50 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 14 June 2004 - 12:06 PM

After latest casino online reappearance
Logfile of HijackThis v1.97.7
Scan saved at 9:59:35 AM, on 6/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\ec27ser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\Motive\motmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/portal/index.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net
*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;
6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s
gate35.apps.hp.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DB176F26-877C-4ABF-9317-A7AB7B8F4328} - C:\WINNT\system32\ocidc.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/
O16 - DPF: HPVC component - http://vrm10.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm10.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm10.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm10.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm10.win2000...ents/vminfo.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win200...c/HPPptDrop.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button