• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
AmazingRich

CWS about:blank keeps coming back

52 posts in this topic

My homepage has been hijacked to some search engine in the cc domain and I

get a popup offering to install a spyware remover. I assume this is the

coolwebsearch hijacker frequently seen here. I tried ad-aware 6 with the

latest ref file and it gets to a clean log after two scan and reboot sequences,

but the home page gets rehijacked (I think after any search from the address

bar in IE). Been like this for about a week. I've been very careful to set the

full scan options lavasoft recommended

 

Also tried spybot and cwshredder. I don't think I let spybot do everything it

wanted as it was going to delete some stuff I knew was legit.

 

Random named files (like \WINNT\system32\eofe.dll/sp.html) keep showing

up in the registry.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:59:28 PM, on 5/25/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\WINNT\system32\omwipe32.exe

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\eofe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

 

 

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;

 

;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;sygate35.apps.hp.com;<local>

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Edited by AmazingRich

Share this post


Link to post
Share on other sites

BTW, has anyone figured out how the reinstall is being done? Should I just have HJT delete all the system32/eofe.dll/sp.html lines? I've gotten the impression from others that either they won't delete with HJT, or they come back again.

Share this post


Link to post
Share on other sites

about:blank is still coming back. New log follows...

 

Logfile of HijackThis v1.97.7

Scan saved at 11:08:34 AM, on 5/26/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\WINNT\system32\omwipe32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\notepad.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cnm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s

gate35.apps.hp.com;<local>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {9D1A8D99-AC1D-45A6-AB76-3ADAD06F03E1} - C:\WINNT\system32\cnm.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Share this post


Link to post
Share on other sites

I'm not complaining, just wondering whether I missed something important about how to get help. I posted my log yesterday and I haven't seen any responses. I've seen others here that get help right away. Was I supposed to do something else to get help?

Share this post


Link to post
Share on other sites

Please post a reply in your earlier thread to "bump" it to the top of the list.

 

Mods, please merge this thread with his previous one.

Share this post


Link to post
Share on other sites

So this was probably a mistake,

but I ran dllfix and told it to "enter fix menu"

and "let program search for it". It continuously prints out

"Error: The system was unable to find the specified registry key or value"

I need to turn the computer off and go home. If I do that will it mess

anything up?

Share this post


Link to post
Share on other sites

Do Ctrl-Alt-Del and then Shutdown, if possible.

But powering off won't usually do any harm.

 

Your log is wild! I will see if we can get an expert to have a look.

Share this post


Link to post
Share on other sites

Hi there,

 

Lets start afresh. Lets follow the process below as it is said. Go slow and follow the instructions. We need a Find All log and the instructions below will say how we can get it.

Download this file from http://downloads.subratam.org/dllfix.exe or http://tools.zerosrealm.com/dllfix.exe.

 

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.

Post that log here.

 

[ Tutorial - http://forums.subratam.org/index.php?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

 

Regards and Good luck

Edited by Subratam

Share this post


Link to post
Share on other sites

HELP!! I'm desparate!

 

Before I run dllfix again and have it overwrite backup.hiv I've got to fix up my registry.

 

When I ran it before it got stuck trying to restore a hiv to "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows". This was after saving it off and deleting the original registry entry. Now I'm pretty sure that the registry entry is screwed up. It only has Appinit_Dlls, I think there should be more as it is looking for USERProcessHandleQuota later in the batch file. I tried restoring from the hiv but I get "Error: The system was unable to find the specified registry key or value".

 

What do I do? How do I fix up the registry and what does that key do? I'm afraid to reboot the system.

Share this post


Link to post
Share on other sites

Please do the steps I said just above. Download the file and do as stated.Just for your information, We have tested dllfix on our machines and me myself too. It wont screw your registry. Just follow the right steps.. and if you cannot understand follow the tutorial link I gave.

 

Regards

Share this post


Link to post
Share on other sites

Perhaps I wasn't clear. Some entries in my registry are gone, the only copy of them are in backup.hiv, I'd like to restore the registry before I worry about the hijacker and before I reboot.

 

I don't know about your machine, but on mine dllfix produced the same error message over and over again for a couple of hours and left HKLM\SOFTWARE

Microsoft\Windows NT\CurrentVersion\Windows with just AppInit_DLLs in it.

I'm pretty sure that it is supposed to have DeviceNotSelectedTimeout, GDIProcessHandleQuota, Spooler, swapdisk, TransmissionRetryTimeout, and USERProcessHandleQuota in it, which it does not.

 

Trying to restore the backup hive into CurrentVersion\Windows results in an error when I use the Reg program. Maybe some process is holding it open so that Reg can't do anything, I don't know.

 

I have been able to restore the hive into a new key "CurrentVersion\XXXWindows" with regedt32, but I haven't figured out how to do it to CurrentVersion\Windows yet.

 

Also I can't download anything to it (my laptop) tonight, it doesn't have an internet connection at home. I downloaded dllfix earlier today from one of the two sites you mentioned. So if I fix the registry I can run a recent copy of dllfix with option 1 as you suggest.

Share this post


Link to post
Share on other sites

I am looking at it and discussing with other helpers. Will get back to you.

 

Regards

Share this post


Link to post
Share on other sites

Ok lets get this restored. There was a slight error that may of caused this but it should be fixed now.

 

Ok in order to restore a hiv you first must create the key.

 

Copy the following to notepad that is in the quotebox.:

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"Appinit_Dlls"=""

Hit file/save as.

 

Give it the name of

restore.reg

 

under the name set file types to all types.

 

save it to the desktop.

Close notepad. After thats done double click the restore.reg

 

when asked to merge say yes.

That will put back the key.

 

Ok in order to restore the hiv.

you can put this in a bat file and put it in the same folder with the backup.hiv

 

Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv

 

again copy to notepad.

file/save as

restore.bat

file types to all file types.

save it to where there backup.hiv is

 

double click it to restore the hiv.

Warning this may put the infected file back in play.

 

 

That should bring everything back.

 

Let me know if more problems.

If you decided to try dllfix again please download a fresh copy of it.

Edited by shadowwar

Share this post


Link to post
Share on other sites

Thanks for your help Shadowwar. Late last night I had restored the hive to XXXWindows and used it as a guide to recreate the registry entries by hand under Windows. My values now look like the ones in your first quote. I think the only thing that might still be wrong would be the permissions as I don't know what they should be set to. At this point should I:

 

Try to restore the hive to set the permissions correctly? Note that I tried your second quoted line (but before creating Spooler, etc by hand) and got errors so it may not work if I try it now.

 

Or should I try to fix the permissions by looking at XXXWindows and attempting to duplicate them by hand in Windows?

 

Or should I use the ACL listing from a run of ddlfix option 1 that I did a day or so ago?

 

I need to go into work to hook the infected computer to the internet and pick up a new ddlfix. I'll report back afterward.

Share this post


Link to post
Share on other sites

ok.. well the hiv restore will restore the permissions to correct settings.

but may restore the infected appinit value too.

The best bet would be to restore the permissions from a day or two from the log. by hand.

 

Basically you have to uncheck inherited. Click copy.

Remove your name.

Share this post


Link to post
Share on other sites

Shadowwar,

 

Rats, output.txt got overwritten. So I've lost the permissions from before the registry got changed. This is what they were before I unchecked inherited and clicked copy:

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

I tried restoring the hive, but I still get "Error: The system was unable to find the specified registry key or value". So I unchecked inherited and clicked copy. My name shows up in three places, under administrator, power users and users. Should I remove my name under users?

Share this post


Link to post
Share on other sites

I'm not sure if the registry permissions are right or not. I did a dllfix and here is the log. It didn't find any locked or suspect files.

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Thu 05/27/2004

5:29p

 

System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "E-Client" (E4D0:E84A) - FS:NTFS clusters:512

Total: 19 980 656 128 [19G] - Free: 3 142 786 048 [2.9G]

 

 

*IE version and Service packs:

5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP2;Q832894;Q837009;

 

*Google Toolbar version and Attributes:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

File not found - C:\Program Files\google\googletoolbar2.dll

A R C:\Program Files\google\GoogleToolbar1.dll

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Hewlett-Packard IE5.5-SP2"="IEAKHewlett-Packard"

 

 

*Wmplayer version:

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

5:29pm up 0 days, 0:17

Locked or 'Suspect' file(s) found...

 

 

*List of top level windows:

HWND PID PRIO TITLE

201e0 1108 norm SysFader

10100 1640 norm VOLUME

100e4 1108 norm Fax Monitor

10042 1108 norm _Shell_TrayWnd

10018 220 high NetDDE Agent

1020a 1304 norm C:\WINNT\system32\cmd.exe

60140 1108 norm dllfix

101f8 1108 norm DDE Server Window

10122 1444 norm Adaptec Create CD

20156 408 norm Sygate Security Agent

10190 408 norm Log Viewer

2015a 1560 norm HpqCameraDetectMonitor

3013a 1708 norm HP Photosmart Printer Series

40108 1676 norm About WinZip Quick Pick

1011a 1684 norm Adaptec DirectCD Wizard

10110 1740 norm Symantec AntiVirus Corporate Edition

30104 1700 norm HPGS2WND_WINDOW

200e0 1536 idle motmon

100fe 1640 norm HP Extended Keyboard

100fa 1624 norm ATI Tray Icon Application

30074 1580 norm IDA Task

10086 1108 norm CSC Notifications Window

1007c 1108 norm Power Meter

10078 1108 norm Connections Tray

10076 1108 norm MS_WebcheckMonitor

4002a 1108 norm DDE Server Window

4001e 836 norm Scan

20030 836 norm ACTION

2002e 836 norm VPIPCLINK

2003a 992 norm SYSTEM AGENT COM WINDOW

10022 660 norm ATI video bios poller

70020 408 norm SS

1001a 220 high MM Notify Callback

1005a 1108 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{40F9A07A-6F2D-4352-843E-3FB6E6AE4D6C}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2836ED5-FA51-4D15-B713-BECC44551997}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{330B110C-D720-4F2F-BBFC-89F87DA0E307}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{330B110C-D720-4F2F-BBFC-89F87DA0E307}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(CI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

(CI) ALLOW Read Everyone

(CI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(CI) ALLOW Full access NT AUTHORITY\SYSTEM

(CI) ALLOW Read BUILTIN\Users

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Full access BUILTIN\Administrators

Read Everyone

QWCEN-DS-- BUILTIN\Power Users

Full access NT AUTHORITY\SYSTEM

Read BUILTIN\Users

 

 

Share this post


Link to post
Share on other sites

Shadowwar, Subratam,

 

I took a HJT log (scan only) after the dllfix. There is a file \WINNT\system32\nhp.dll, so even though dllfix didn't find any suspicious files, the hijacker reinstalled.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:48:53 PM, on 5/27/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s

gate35.apps.hp.com;<local>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {40F9A07A-6F2D-4352-843E-3FB6E6AE4D6C} - C:\WINNT\system32\nhp.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Share this post


Link to post
Share on other sites

well that looks good on permissions.

 

Run adaware fully updated.

 

Please post a new findall log afterwards

Share this post


Link to post
Share on other sites

As far as I can tell dllfix looks good, but hjt still reports problems.

Here is what I've done.

 

Rebooted

Ran Ad-aware with latest ref file (01R311), fixed all and saved to log29

Ran dllfix find only and saved to "b"

Ran HJT scan only and saved to "7"

Rebooted

Ran dllfix find only and saved to "c"

Ran HJT scan only and saved to "8"

I saved all these logs if they're helpful.

 

Here is outputc.txt (after the reboot)

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Fri 05/28/2004

5:53p

 

System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "E-Client" (E4D0:E84A) - FS:NTFS clusters:512

Total: 19 980 656 128 [19G] - Free: 3 148 318 720 [2.9G]

 

 

*IE version and Service packs:

5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP2;Q832894;Q837009;

 

*Google Toolbar version and Attributes:

2.0.111.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

File not found - C:\Program Files\google\googletoolbar2.dll

A R C:\Program Files\google\GoogleToolbar1.dll

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Hewlett-Packard IE5.5-SP2"="IEAKHewlett-Packard"

 

 

*Wmplayer version:

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

5:53pm up 0 days, 0:15

Locked or 'Suspect' file(s) found...

 

 

*List of top level windows:

HWND PID PRIO TITLE

201e0 1472 norm SysFader

100f0 1472 norm Fax Monitor

100ea 1524 norm VOLUME

2004a 1472 norm _Shell_TrayWnd

10016 196 high NetDDE Agent

7020e 1892 norm C:\WINNT\system32\cmd.exe

5014a 1472 norm dllfix

101f8 1472 norm DDE Server Window

2010a 1680 norm Adaptec Create CD

4015a 408 norm Sygate Security Agent

10192 408 norm Log Viewer

30148 1640 norm HP Photosmart Printer Series

10154 1616 norm HpqCameraDetectMonitor

20110 1700 norm About WinZip Quick Pick

1011c 1584 norm Adaptec DirectCD Wizard

1011a 1664 norm Symantec AntiVirus Corporate Edition

10108 1620 norm HPGS2WND_WINDOW

100ec 1488 idle motmon

100e8 1524 norm HP Extended Keyboard

100e2 1516 norm ATI Tray Icon Application

200de 736 norm IDA Task

10088 1472 norm CSC Notifications Window

1007e 1472 norm Power Meter

10074 1472 norm Connections Tray

10072 1472 norm MS_WebcheckMonitor

3004e 1472 norm DDE Server Window

1003c 828 norm Scan

1003a 828 norm ACTION

10038 828 norm VPIPCLINK

10034 952 norm SYSTEM AGENT COM WINDOW

10022 664 norm ATI video bios poller

70020 408 norm SS

1001a 196 high MM Notify Callback

3005c 1472 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2836ED5-FA51-4D15-B713-BECC44551997}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(CI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

(CI) ALLOW Read Everyone

(CI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(CI) ALLOW Full access NT AUTHORITY\SYSTEM

(CI) ALLOW Read BUILTIN\Users

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Full access BUILTIN\Administrators

Read Everyone

QWCEN-DS-- BUILTIN\Power Users

Full access NT AUTHORITY\SYSTEM

Read BUILTIN\Users

 

 

Share this post


Link to post
Share on other sites

hijackthis8.log. This is after running latest ad-aware and rebooting.

 

Logfile of HijackThis v1.97.7

Scan saved at 5:59:28 PM, on 5/28/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s

gate35.apps.hp.com;<local>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Share this post


Link to post
Share on other sites

check and fix these entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nhp.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {C2836ED5-FA51-4D15-B713-BECC44551997} - C:\WINNT\system32\ajknnp.dll (file missing)

 

post a new hjt log but that should be it.

Share this post


Link to post
Share on other sites

Shadowwar, thanks for sticking with me on this.

 

Checked the suggested entries in hjt and fixed them, rebooted, ran explorer (not IE), outlook, maybe some other stuff, all without connecting to the network. reran hijack this. All looked ok.

This morning I connected to the network, updated Ad-aware to 01R312 30.05.2004, scanned and it found about 10 problems. About 6 were the random dll in system32, but now with a different name. I had ada fix them, rebooted, then ran HJT. HJT still sees the same (the ones ada claimed to fix) dlls.

 

Not sure where to go from here other than to point out that something is reinstalling the registry entries and nothing so far has found it.

 

Here is the latest HJT log

Logfile of HijackThis v1.97.7

Scan saved at 11:44:27 AM, on 6/1/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Emacs\emacs-20.7\bin\emacs.exe

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cpia.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s

gate35.apps.hp.com;<local>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Share this post


Link to post
Share on other sites

Tried latest dllfix and now it's looping forever. For some reason regedit isn't able to delete the Windows key....hold on. When I go into regedit32 and delete the Windows key it come right back!! Weird. Does that mean it isn't really being deleted, or than something is putting it right back?

Share this post


Link to post
Share on other sites

Ah, ha! Something is adding the AppInit_DLLs back. I can add and delete other entried in Windows (such as DeviceNotSelectedTimeout), but if I delete Windows or AppInit_DLLs it doesn't go away.

Share this post


Link to post
Share on other sites

Whoa. its putting the whole key back? if you rename windows to something like notwindows the windows comes back?

Do you have your windows cd?

Share this post


Link to post
Share on other sites

Ok, let's try that. When I rename Windows to WindowsZZZ and refresh there is a new Windows with just AppInit_DLLs and a WindowsZZZ with the usual seven keys.

[edit: no I don't have the CD, system was installed by the IT department]

Edited by AmazingRich

Share this post


Link to post
Share on other sites

Hmm ok.. lets try something here. I assume you have full admin rights?

 

I will be in chat around 6pm edt usa.

 

Load up regedt32 and navigate by double clicking the folders in the left pane to the windows key

 

right click it and hit permissions.( you may have to do it from the top menu bar. )

 

Uncheck inherit if there.

 

Remove all the listings for permissions. So nothiing is listed there.

 

The key should then show nothing in the right pane( the appinit should disappear) after you ok the way out of the permissions box. If it does reboot leaving regedt32 open.

 

After the reboot check and see if the file showing suspect or locked in the find all log is visible.

If it is create a folder somewhere.

 

What you want to do is select the file once by clicking it then select edit/move to folder and move it to the folder you created.

 

Than right click that folder itself with the file you moved to it.

Hit the security/permissions tab. Hit the advanced button.

Click reset permissions on all child objects.

That should reset the permissions on the file.

 

Than PLEASE email me a copy zipped. This seems like a new variant as most dont put back the whole windows key.

 

 

Click here to email!

 

cheers. I also may be in chat throughout the day sporadically.

Share this post


Link to post
Share on other sites

More interesting facts:

svchost.exe "has generated errors and will be closed by windows" this morning.

 

As you recall I've been fiddling with the registry a bit, so I'm not sure of what state the permissions are in. Without following your instructions I am able to see the dll and capture a copy of it. It has the same md5 sig as one in your second.bat file (0758CF...)and has the string "moving companies" in it. I should be able to try your instructions later today.

 

I might be able to find a windows cd around somewhere, also my system offers to run a recovery console every boot.

 

I think I might be away from the computer starting around 6pm edt today.

 

dllfix option 1 (findall) never finds any locked files on my system.

 

I'm able to clean the registry and delete the random dll file (via adaware) and it appears clean as long as I'm not connected to the network. When I connect to the network and run ie and outlook the search page registry entries come back. Cracking open the random dll I see the string "SYSTEM\CurrenControlSet\Services\Tcpip\parameters". Is there a way to check that it hasn't dropped a bad network protocol module in that is reinfecting me?

 

You said "most don't put back the whole windows key". I'm not sure what's a key and what's not and I may have given a confusing description of what's goin on ealier. It appears to be putting back Windows and AppInit_DLLs under it and perhaps a hidden value to AppInit_DLLs (not sure), but isn't creating the other 6 or so keys (or values, I guess I don't know the difference). Hope that clears it up.

Share this post


Link to post
Share on other sites

More interesting facts:

svchost.exe "has generated errors and will be closed by windows" this morning.

 

As you recall I've been fiddling with the registry a bit, so I'm not sure of what state the permissions are in. Without following your instructions I am able to see the dll and capture a copy of it. It has the same md5 sig as one in your second.bat file (0758CF...)and has the string "moving companies" in it. I should be able to try your instructions later today.

 

I might be able to find a windows cd around somewhere, also my system offers to run a recovery console every boot.

 

I think I might be away from the computer starting around 6pm edt today.

 

dllfix option 1 (findall) never finds any locked files on my system.

 

I'm able to clean the registry and delete the random dll file (via adaware) and it appears clean as long as I'm not connected to the network. When I connect to the network and run ie and outlook the search page registry entries come back. Cracking open the random dll I see the string "SYSTEM\CurrenControlSet\Services\Tcpip\parameters". Is there a way to check that it hasn't dropped a bad network protocol module in that is reinfecting me?

 

You said "most don't put back the whole windows key". I'm not sure what's a key and what's not and I may have given a confusing description of what's goin on ealier. It appears to be putting back Windows and AppInit_DLLs under it and perhaps a hidden value to AppInit_DLLs (not sure), but isn't creating the other 6 or so keys (or values, I guess I don't know the difference). Hope that clears it up.

Share this post


Link to post
Share on other sites

Looking into the hive, and guessing how to read unicode, I see that AppInit_DLLs is C:\:mmtaky.tsk. The only *.tsk search on my system finds are mmtask.tsk in winnt\system and winnt\system32.

Share this post


Link to post
Share on other sites

can you post the windows.txt here?

 

Also the nasty dll that usually infects appinit doesnt put back windows after you rename it.. We may be dealing with something else then.

Share this post


Link to post
Share on other sites

regf

íO ¦N ?½‹!¾HÄÑd Y›

 È è

ìì

ð

Û ?½‹!¾HÄÀ ¼?

 È ì

§7

PX†"¾Hħ< ¼?

 È

Àm! Ï ðQ$7¾HÄÇd m?ù_È È

½N `€² `? àÛ\7¾HÄÇd m?ù_È ð

 

ãP ½n æ0 ˆ¯t¾Hľ ûbü_È à

2D 7=È hbin ÿÿ ¨ÿÿÿnk, ?ëîe)DÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ P x ÿÿÿÿ 0 4 Windows(ÿÿÿskÿÿx x ¼ ”  ° Œ ?

? # ? ! àÿÿÿp À 8 h ˆ Ð Øÿÿÿvk ˜ y AppInit_DLLs ØÿÿÿC : \ : m m t a k y . t s k FilesÐÿÿÿvk ð DeviceNotSelectedTimeoutðÿÿÿ1 5 %New Èÿÿÿvk €' GDIProcessHandleQuotaD06F03E1} àÿÿÿvk X ü Spooler ðÿÿÿy e s  v%àÿÿÿvk € €swapdiskÐÿÿÿvk ¸ TransmissionRetryTimeoutèÿÿÿ9 0 %(z%àÐW  v%Ðÿÿÿvk €' USERProcessHandleQuota

ÿÿÿÿ 9ÿ ‡ÿ Ò Î Í Í O Ê Ë Í Ï Ó Ñ Ó Õ Ö Ú Ú Ù Ù Û

 

èèeðée ÆäÅÿÿÿÿÿÿ

Share this post


Link to post
Share on other sites

Looks like I'm going to have to yank the cord before crucialads finishes. So far it's printed:

Beginning Scan of Local NTFS (C:)

Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

 

If there's more, I'll post later.

Share this post


Link to post
Share on other sites

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif

Share this post


Link to post
Share on other sites

Here is the complete log:

Beginning Scan of Local NTFS (C:)

Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Warning: Open File Failed for C:\Documents and Settings\rhv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\18651_1.gif

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\all_California_Oakland_big.jpg

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\all_California_Oakland_big.jpg

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\bay area bridges.jpg

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\bay area bridges.jpg

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\chesscafe_tactices4beg.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\chesscafe_tactices4beg.gif

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsop.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsop.gif

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsx.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\kingsx.gif

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\modernop.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\modernop.gif

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\queensop.gif

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\queensop.gif

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\redwood-city-chart.jpg

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\redwood-city-chart.jpg

!!! ADS FOUND !!! Name=:Q30lsldxJoudresxAaaqpcawXc:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\Sample.jpg

!!! ADS FOUND !!! Name=:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA File=C:\Documents and Settings\rhv\My Documents\My Pictures\Sample.jpg

!!! ADS FOUND !!! Name=: a meta-analysis.pdf:$DATA File=C:\Documents and Settings\rhv\My Documents\RICHV 5700\Fitness\Long-term weight-loss maintenance

Warning: Open File Failed for C:\Documents and Settings\rhv\ntuser.dat

Warning: Open File Failed for C:\Documents and Settings\rhv\NTUSER.DAT.LOG

Warning: Open File Failed for C:\\hiberfil.sys

Warning: Open File Failed for C:\\pagefile.sys

Warning: Open File Failed for C:\\System Volume Information

Warning: Open File Failed for C:\WINNT\system32\config\DEFAULT

Warning: Open File Failed for C:\WINNT\system32\config\default.LOG

Warning: Open File Failed for C:\WINNT\system32\config\SAM

Warning: Open File Failed for C:\WINNT\system32\config\SAM.LOG

Warning: Open File Failed for C:\WINNT\system32\config\SECURITY

Warning: Open File Failed for C:\WINNT\system32\config\SECURITY.LOG

Warning: Open File Failed for C:\WINNT\system32\config\SOFTWARE

Warning: Open File Failed for C:\WINNT\system32\config\software.LOG

Warning: Open File Failed for C:\WINNT\system32\config\SYSTEM

Warning: Open File Failed for C:\WINNT\system32\config\SYSTEM.ALT

Warning: Open File Failed for C:\WINNT\system32\Perflib_Perfdata_404.dat

Share this post


Link to post
Share on other sites

Can someone please help? It's now installing applications on my system.

It's getting to the point where I will have to format and reinstall Windows.

Share this post


Link to post
Share on other sites

Tried killbox on C:\:mmtaky.tsk. I understand it should put the file in a submit folder? Didn't see one. Didn't see any *.tsk files except for three copies of mmtsk.tsk(sp?), anyway different spelling.

 

Tried booting ntfs reader from CD and looked at c:\ c:\winnt and c:\winnt\system. Didn't see anything like :mmtaky.tsk.

 

I'm now doing a search from the ntfs program for *.tsk. So far just the three mmtsk.tsk files. Ok, its done. No mmtaky.tsk.

 

So let's summarize what we know:

1) When we delete the Windows key it comes back along with ApInitDLLs.

2) A hive of the ApInitDLLs shows C:\:mmtaky.tsk

3) Can't see a :mmtaky.tsk file anywhere on the disk even if we boot off a cd image and use a dos based ntfs reader.

4) Cleaning up the registry entries of the random dlls, etc with adaware makes it appear that everything is clean, but the home page highjack comes back.

5) Now a casino program icon has installed itself on the desktop and in a programs\ folder and is starting up on boot. It's window is always-on-top so I can't see my work.

Share this post


Link to post
Share on other sites

Ran adaware with latest ref file and custom scan.

Here's the hjt (BTW, no njheo.dll visable via explorer)

 

Logfile of HijackThis v1.97.7

Scan saved at 11:28:20 PM, on 6/8/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\Program Files\CasinoOnline\CsRemnd.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\njheo.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s

gate35.apps.hp.com;<local>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Share this post


Link to post
Share on other sites

Download this file from http://downloads.subratam.org/dllfix.exe .

 

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.

Post that log here.

 

[ Tutorial - http://forums.subratam.org/index.php?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

 

Regards

Share this post


Link to post
Share on other sites

Done. Here is the output.txt log

 

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Wed 06/09/2004

12:01a

 

System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "E-Client" (E4D0:E84A) - FS:NTFS clusters:512

Total: 19 980 656 128 [19G] - Free: 3 051 783 680 [2.8G]

 

 

*IE version and Service packs:

5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.0.2140.1 C:\WINNT\system32\notepad.exe

5.0.2140.1 C:\WINNT\notepad.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP2;Q832894;Q837009;

 

 

 

Locked or 'Suspect' file(s) found...

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

My \winnt directory has a filename with unicode characters that "can't be converted to character set default".

That can't be good.

Share this post


Link to post
Share on other sites

After latest casino online reappearance

Logfile of HijackThis v1.97.7

Scan saved at 9:59:35 AM, on 6/14/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\PROGRA~1\Navnt\DefWatch.exe

C:\WINNT\System32\ec27ser.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\HPConfig.exe

C:\PROGRA~1\Navnt\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\SavRoam.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\HpMmKbd.exe

C:\Program Files\Motive\motmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\hphmon04.exe

C:\Program Files\Winamp3\winampa.exe

C:\PROGRA~1\Navnt\vptray.exe

C:\Program Files\CasinoOnline\CsRemnd.exe

C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Documents and Settings\rhv\My Documents\Zips\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/portal/index.jsp

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://portico.hp.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ocidc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.boi.hp.com;*.core.hp.com;*.corp.hp.com;*.cpqcei.net;*.cpqcorp.net

*.cup.hp.com;*.qweb.cpqcorp.net;127.0.0.1;16.47.150.160;16.47.32.59;16.47.96.66;

6.47.96.73;16.47.96.79;;everest.cs.itc.hp;everest.cs.itc.hp.com;mtrhorn.hp.com;s

gate35.apps.hp.com;<local>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {DB176F26-877C-4ABF-9317-A7AB7B8F4328} - C:\WINNT\system32\ocidc.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe

O4 - HKLM\..\Run: [RunDelayExpOut] C:\data\ms\sp1\RunDelay\rundelay.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com/

O16 - DPF: HPVC component - http://vrm10.win2000.hpe-learning.com/hpvc...onent401131.cab

O16 - DPF: HPVC resources - http://vrm10.win2000.hpe-learning.com/hpvc...ources40147.cab

O16 - DPF: HPVC signed - http://vrm10.win2000.hpe-learning.com/hpvc...signed40139.cab

O16 - DPF: HPVC support - http://vrm10.win2000.hpe-learning.com/hpvc...support4016.cab

O16 - DPF: HPVC vminfo - http://vrm10.win2000.hpe-learning.com/Room...ents/vminfo.cab

O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - https://vrm08.win2000.hpe-learning.com/Room...c/HPPptDrop.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hp.webex.com/client/latest/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{99647FA2-A2E0-406E-B6AC-3F7959BEDDBE}: NameServer = 15.243.128.51,15.243.160.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{F26DCFFE-F471-4AAC-AF60-12CDE9C03054}: Domain = atl.hp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.hp.com,americas.hpqcorp.net,americas.cpqcorp.net,hpqcorp.net,cpqcorp.net

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0