Jump to content


Photo

Cannot run CWShredder or HijackThis


  • Please log in to reply
20 replies to this topic

#1 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 May 2004 - 10:31 PM

Alright. It's become apparent that I have some version of CWS and maybe something else on my computer. My homepage keeps being reset to "res://mshp.dll/index.html#10213" or something similar. It's making not only my IE run incredibly slowly, but seemingly my entire system as well, even with IE closed. In addition, I'm having troubles running both HijackThis and CWShredder. They both downloaded fine, but whenever I double-click the icons, it will load for a second and then nothing will happen. I've tried this with both programs dozens of times and always the same results. Also, I downloaded Spybot S&D and Ad-Aware, but there are errors whenever I try to install them. The only anti-spyware program I have that runs properly is BHO Demon, and the results from that showed that I had some CWS variant.

However, despite the problems I've had running my anti-spyware programs, I don't think a "Hijacker Defender" is on my computer, because I am not blocked from going to related websites and I can at least access my anti-spyware programs. But, the problem still remains that they won't run. Does anyone know what I possibly have on my computer that's causing this and any way to fix it?

Since I can't run HijackThis, I'll show you my BHO Demon results, for what it's worth:
AcroIEHelper.dll
submithook.dll
googletoolbar1.dll
sysym.dll
mssearch.dll
msiesh.dll
(there's also CLSID codes next to each DLL name, but I won't bother including those right now)

#2 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 29 May 2004 - 08:58 PM

I tried running CWShredder and HijackThis in Safe Mode and they still wouldn't work. I've deleted and re-downloaded both of the programs a bunch of times too. But always the same problem. Does anyone know what's wrong?

#3 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 31 May 2004 - 07:32 PM

If it helps, I have a few other symptoms that I think may be a result of whatever I have on my computer. Some of these may not have anything to do with it, but all of these problems never occured until the other symptoms of the Malware were spotted.

-Whenever I try to install any program, I get an error saying:

"Setup was unable to create the directory [something in my 'Temp' folder].

Error 82: The directory or file cannot be created."

-Other occasions where a file has to be created in the "Temp" folder, I get similar Errors as the one above.

-Also, I keep getting occasional popups for multiple different things whenever I go to certain sites. The popups always get past my Google Toolbar popup blocker and are always titled "Only the Best".

-Some porn sites keep being added to my IE Favorites occasionally.

-I don't know if this has anything to do with the Malware on my computer, but Microsoft Word is no longer working correctly. I keep getting errors that involve the template "Normal". And I am only allowed to open Word files as Read-Only.

-I cannot run Adobe Photoshop. Another thing that may not have to do with the Malware.

-Every time I shut down or restart my computer, there is a problem ending MSN Messenger. I always have to hit the "End Now" button in a little window for MSN Messenger whenever I shut down.

Like I said before, I'm not entirely sure if any of these problems have to do with the Malware on my computer. But I thought I'd share them, since these problems didn't exist until I noticed oher symptoms. Also, I ran a Sophos Anti-Virus scan and it found no viruses on my computer. If I come up with any more clues as to what may be on my computer I'll post them here. And since I can't run HijackThis, does anyone know of any kind of log that I CAN post that may provide some more clues? Any help would be much appreciated. Thanks.

#4 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 02 June 2004 - 01:07 AM

bump

#5 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 03 June 2004 - 08:28 PM

Okay, I fixed some things in my system and was finally able to run CWShredder and HijackThis. Now, I've run CWShredder and it removed "Winshow". However, whenever I open IE, the same variant of CWS returns. I keep removing it, but it keeps coming back. Can anyone help me with this? I can run HijackThis now, so I can show you my log if you ask me to. Thanks.

Edited by KingCrimson, 17 June 2004 - 06:45 PM.


#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 05 June 2004 - 06:37 AM

KingCrimson

Yes please post the Hijack This log here.
Before that run an online virusscan.
_______
Wiskonst

#7 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 17 June 2004 - 06:36 PM

Well, here's my HijackThis log. I've noticed lately that things are getting a little worse on my computer. It's become apparent that there's more than just CWS on there. A couple days back I suddenly started getting bombarded with more and more popups, desktop icons, new folders in my C:/ and registry. I'm not sure what caused this sudden surge of new problems, but they're there. But whatever. I hope this can help save my computer.

And I tried running that "online virusscan", but whenever I did, IE would have some error and close. So, that part I couldn't do.

Anyway, here it is...

Logfile of HijackThis v1.97.7
Scan saved at 7:30:49 PM, on 6/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\sdknl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\znhpom.exe
C:\windows\temp\R.exe
C:\WINDOWS\sdkxm.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\uticbcp.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\vbaogsvc.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\STC\ClrSchP070.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Hijacker Log\Hijacker Log.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpyha.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {E744D294-2AA6-B5FC-A3C2-48601F4CDCDD} - C:\WINDOWS\mfcdo32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [pbhnqbjnwhag] C:\WINDOWS\System32\znhpom.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [R] C:\windows\temp\R.exe
O4 - HKLM\..\Run: [sdkxm.exe] C:\WINDOWS\sdkxm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [x38T36V] uticbcp.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [g0r3RWZmW] vbaogsvc.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38141.0128125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by KingCrimson, 17 June 2004 - 06:44 PM.


#8 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 17 June 2004 - 06:56 PM

KingCrimson

You have a reinstalling variant of Coolwebsearch (and a number of other nasties).
Probably CWS is hindering the virusscan.

Could you download dllfix and unzip it to a folder (the download is a selfunzipper). Run Start.bat by doubleclicking it.
Choose option 1 (Find All). It will produce a textfile.
Please post the textfile here.
_______
Wiskonst

#9 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 17 June 2004 - 07:02 PM

Every time I click the "dllfix" link, I get a "HTTP 404 Not Found"/"The page cannot be displayed" window.

I get an error if I try "Save target as..." too.

Edited by KingCrimson, 17 June 2004 - 11:36 PM.


#10 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 18 June 2004 - 06:12 AM

KingCrimson

The link is dead. And a second one I checked too.
Please download Find All then and unzip it to a folder. Run Find_All.bat by doubleclicking.
Post the textfile it produces.
_______
Wiskonst

#11 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 18 June 2004 - 03:40 PM

Okay, this is what it produced. I hope it's right:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Fri Jun 18 16:36:17 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (8424:13E0) - FS:FAT clusters:16k
Total: 29 999 333 376 [28G] - Free: 4 593 385 472 [4.3G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q328676;Q323759;Q324929;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
4:36pm up 0 days, 0:13

»»Locked or 'Suspect' file(s) found...

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Tasks (services):
0 System Process
4 System
428 SMSS.EXE
492 CSRSS.EXE Title:
516 WINLOGON.EXE Title: NetDDE Agent
560 SERVICES.EXE Svcs: Eventlog,PlugPlay
572 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
732 SVCHOST.EXE Svcs: RpcSs
804 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
tibility,helpsvc,HidServ,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasA
uto,RasMan,Schedule,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,Trk
Wks,uploadmgr
900 SVCHOST.EXE Svcs: Dnscache
912 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1084 SPOOLSV.EXE Svcs: Spooler
1236 ATI2EVXX.EXE Svcs: Ati HotKey Poller
1312 SVCHOST.EXE Svcs: stisvc
1332 SWNETSUP.EXE Svcs: SweepNet
1364 SWEEPSRV.SYS Svcs: SWEEPSRV.SYS
1536 MsPMSPSv.exe Svcs: WMDM PMSP Service
1684 EXPLORER.EXE Title: Program Manager
1816 SDKNL.EXE Svcs: __NS_Service_2
1896 CTHELPER.EXE Title: CtHelper
1956 ATIPTAXX.EXE Title: ATI Tray Icon Application
2004 P2P Networking.eP2P Networking UpdateTitle: P2P Networking Update
2024 RUNDLL32.EXE Title:
2044 znhpom.exe Title: OleMainThreadWndName
168 R.exe Title:
184 SDKXM.EXE
304 IEHost.EXE Title: MCI command handling window
684 dp-him.exe Title:
744 RUNDLL32.EXE Title:
776 uticbcp.exe
976 AutoUpdate.exe
1140 pcsvc.exe Title:
896 dpi.exe Title:
1180 updmgr.exe Title:
1296 SETI@home.exe Title: SETI@Home Client
1260 MSNMSGR.EXE Title: Starfire - Conversation
1568 AIM.EXE Title:
1556 vbaogsvc.exe
1560 ICMON.EXE Title: InterCheck Monitor
2400 RUNDLL32.EXE Title:
3240 iexplore.exe Title: SWI Forums -> Cannot run CWShredder or HijackThis - Microsoft Internet Explorer
3896 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3972 ntvdm.exe
4052 iexplore.exe Title:
616 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ReadMe-BHODemon]
@="This BHO has been enabled by BHODemon."

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E744D294-2AA6-B5FC-A3C2-48601F4CDCDD}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398


»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.0 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.0 shp 21,504 08-23-2001 userinit.exe

»»Group/user settings:


User: [TYLER\Tyler Oas], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group TYLER\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
File not found - C:\WINDOWS\System32\Drivers\etc\hosts
------
»»Rehash:

»Strings found:

Fri Jun 18 16:36:48 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-18-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 594 06-18-2004 findallappinit.reg
A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\winBackup.hiv
A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\modules.txt
A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\services.txt
A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\drivers.txt
A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#12 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 June 2004 - 12:59 AM

bump

#13 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 20 June 2004 - 04:08 AM

Download the Killbox and unzip it to a folder.
Run the Killbox without having any browser windows open.
In the box 'Paste full path of file to delete' copy and paste 'C:\WINDOWS\mfcdo32.dll' (without quotes). In menu Action choose Delete on reboot. A panel called 'PendingFilerenameOperations' opens. Here in menu File choose Add File. The mfcdo32.DLL file will be added. Now in menu Action choose 'Process and Reboot'.
When asked to reboot click OK.

After the reboot go to Task Manager and finish the following processes if you find them running:
- C:\WINDOWS\system32\sdknl.exe
- C:\WINDOWS\System32\znhpom.exe
- C:\windows\temp\R.exe
- C:\WINDOWS\sdkxm.exe
- C:\WINDOWS\System32\IEHost.exe
- C:\WINDOWS\System32\dp-him.exe
- C:\Program Files\Common Files\slmss\slmss.exe
- C:\WINDOWS\System32\uticbcp.exe
- C:\Program Files\STC\ClrSchP070.exe

Then run CWShredder and let it do a fix.

Then fix from Hijack This these lines if they are still there:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpyha.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {E744D294-2AA6-B5FC-A3C2-48601F4CDCDD} - C:\WINDOWS\mfcdo32.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [pbhnqbjnwhag] C:\WINDOWS\System32\znhpom.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [R] C:\windows\temp\R.exe
O4 - HKLM\..\Run: [sdkxm.exe] C:\WINDOWS\sdkxm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [x38T36V] uticbcp.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [g0r3RWZmW] vbaogsvc.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - <http://www.blizzard....wowbeta/si.cab>

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.

Then please a fresh Hijack This log.
_______
Wiskonst

#14 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 June 2004 - 01:50 PM

Thanks for all this. I think it's starting to work better already. Here's my new HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 2:48:47 PM, on 6/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\msmj.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINDOWS\System32\uticbcp.exe
C:\WINDOWS\system32\crmh.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijacker Log\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrzji.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrzji.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrzji.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrzji.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nrzji.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nrzji.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {C17618EA-80F0-B763-1419-F55243440287} - C:\WINDOWS\system32\sysjl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoLoaderxwrv1IIkNRLP] "C:\WINDOWS\System32\uticbcp.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [crmh.exe] C:\WINDOWS\system32\crmh.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [msmj.exe] C:\WINDOWS\msmj.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [sdkph32.exe] C:\WINDOWS\sdkph32.exe
O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\system32\ntoa.exe
O4 - HKLM\..\RunOnce: [d3se32.exe] C:\WINDOWS\system32\d3se32.exe
O4 - HKLM\..\RunOnce: [winjl.exe] C:\WINDOWS\system32\winjl.exe
O4 - HKLM\..\RunOnce: [msbi.exe] C:\WINDOWS\system32\msbi.exe
O4 - HKLM\..\RunOnce: [addkb32.exe] C:\WINDOWS\system32\addkb32.exe
O4 - HKLM\..\RunOnce: [mfcyj32.exe] C:\WINDOWS\mfcyj32.exe
O4 - HKLM\..\RunOnce: [nten32.exe] C:\WINDOWS\system32\nten32.exe
O4 - HKLM\..\RunOnce: [javaoi32.exe] C:\WINDOWS\javaoi32.exe
O4 - HKLM\..\RunOnce: [crni.exe] C:\WINDOWS\system32\crni.exe
O4 - HKLM\..\RunOnce: [crwo32.exe] C:\WINDOWS\crwo32.exe
O4 - HKLM\..\RunOnce: [msgj32.exe] C:\WINDOWS\msgj32.exe
O4 - HKLM\..\RunOnce: [sysrg.exe] C:\WINDOWS\sysrg.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38141.0128125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#15 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 21 June 2004 - 03:51 PM

KingCrimson

Some trojans have disappeared but a number remain.
Please download The Cleaner, install it with the latest database and let it do a scan.

The Coolwebsearch reinstaller came back under another name.
We must restrain it by locking the BHO registry keys.

Please do the following with all browser windows closed:
Go to Start > Run and type 'regedt32' (without quotes).
Select window 'HKEY_LOCAL_MACHINE'.
In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.
In Explorer select 'Browser Helper Objects'.
In menu Security choose Edit Permissions. A panel appears.
The upper listpane in the panel must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.
Then click the Advanced button below. A second panel appears.
Here uncheck 'Inherit from parents the permissions ...' and click OK.
In the main dialog also uncheck 'Inherit from parents ...' and click OK.
Close Regedt32.

Then could you do the same operation with Killbox but now for 'C:\WINDOWS\system32\sysjl32.dll' ?
(Paste in box 'Paste full path ...' till Process and Reboot, see previous post).

Please a new Hijack This log.
_______
Wiskonst

#16 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 June 2004 - 03:07 AM

Okay, did all you said. Here's my new log:

Logfile of HijackThis v1.97.7
Scan saved at 4:36:12 AM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\msmj.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hijacker Log\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suikonline.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [msmj.exe] C:\WINDOWS\msmj.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [sdkph32.exe] C:\WINDOWS\sdkph32.exe
O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\system32\ntoa.exe
O4 - HKLM\..\RunOnce: [d3se32.exe] C:\WINDOWS\system32\d3se32.exe
O4 - HKLM\..\RunOnce: [winjl.exe] C:\WINDOWS\system32\winjl.exe
O4 - HKLM\..\RunOnce: [msbi.exe] C:\WINDOWS\system32\msbi.exe
O4 - HKLM\..\RunOnce: [addkb32.exe] C:\WINDOWS\system32\addkb32.exe
O4 - HKLM\..\RunOnce: [mfcyj32.exe] C:\WINDOWS\mfcyj32.exe
O4 - HKLM\..\RunOnce: [nten32.exe] C:\WINDOWS\system32\nten32.exe
O4 - HKLM\..\RunOnce: [javaoi32.exe] C:\WINDOWS\javaoi32.exe
O4 - HKLM\..\RunOnce: [crni.exe] C:\WINDOWS\system32\crni.exe
O4 - HKLM\..\RunOnce: [crwo32.exe] C:\WINDOWS\crwo32.exe
O4 - HKLM\..\RunOnce: [msgj32.exe] C:\WINDOWS\msgj32.exe
O4 - HKLM\..\RunOnce: [sysrg.exe] C:\WINDOWS\sysrg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38141.0128125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

EDIT: Changed log posted. I posted the wrong one earlier.

Edited by KingCrimson, 22 June 2004 - 03:38 AM.


#17 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 22 June 2004 - 06:05 AM

KingCrimson

OK, most of the hijack has gone now.
To be on the safe side, do the following:

Go to Task Manager and finish this process:
C:\WINDOWS\msmj.exe
If you still see it, this one too:
C:\WINDOWS\system32\crmh.exe

Go to Start > Run and type 'services.msc' (without quotes) and press Enter.
A window with a list of services comes up. In the righthand pane in the first column click on the grey column header ('Name') to sort the list alphabethically.
Find the service named "Network Security Service". When found, select it, doubleclick on it. Click button Stop, and in dropdown menu Startup Type choose Disable. Then click OK and close the services window.

Then fix from Hijack This all Runonce entries (HKLM as well as HKCU), except:
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu .

Then reboot.

As you have a fairly new type of Coolwebsearch, we would like to have copies of some files for analysis. If you have a zip facility, could you zip up the following files (make copies first):
- C:\WINDOWS\system32\sysjl32.dll
- C:\WINDOWS\nrzji.dll
- C:\WINDOWS\msmj.exe
- C:\WINDOWS\system32\crmh.exe
- C:\WINDOWS\system32\vpyha.dll
- C:\WINDOWS\mfcdo32.dll
Some of them may no longer be found.
I will PM you an e-mail adress to send them to, if that's allright with you.
Thank you very much in advance.

Then please one more Hijack This log.
A question: is www.suikonline.net the start page of your own choice?
_______
Wiskonst

#18 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 June 2004 - 12:40 PM

Okay, first of all, the only of those files you mentioned that could be found were "C:\WINDOWS\msmj.exe" and "C:\WINDOWS\system32\crmh.exe", but I went ahead and zipped up copies of them like you said. When I used "The Cleaner" I think it deleted all the others. If not, then HijackThis maybe did it. And, yes, www.suikonline.net is a startpage of my own choosing. Finally, here is my latest HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 1:34:18 PM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Hijacker Log\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suikonline.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38141.0128125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#19 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 22 June 2004 - 02:23 PM

KingCrimson

OK, the log is clean.
Time for the cleanup of the files.

Set Explorer to display hidden files and delete these files if you still find them:
C:\WINDOWS\msmj.exe
C:\WINDOWS\system32\crmh.exe
C:\WINDOWS\msmj.exe
C:\WINDOWS\system32\sysvy.exe
C:\WINDOWS\sdkph32.exe
C:\WINDOWS\appmf.exe
C:\WINDOWS\system32\ntoa.exe
C:\WINDOWS\system32\d3se32.exe
C:\WINDOWS\system32\winjl.exe
C:\WINDOWS\system32\msbi.exe
C:\WINDOWS\system32\addkb32.exe
C:\WINDOWS\mfcyj32.exe
C:\WINDOWS\system32\nten32.exe
C:\WINDOWS\javaoi32.exe
C:\WINDOWS\system32\crni.exe
C:\WINDOWS\crwo32.exe
C:\WINDOWS\msgj32.exe
C:\WINDOWS\sysrg.exe
C:\WINDOWS\nrzji.dll <-- this one I reckon should still be there

Also empty the temporary folders:
- C:\Windows\Temp
- C:\Documents and Settings\<name>\Local Settings\Temp
Empty the IE cache: menu Extra, Options, tab General, button Remove Files.

It may be advisable to run a fix with CWShredder and a scan with Ad Aware afterwards.

Then the BHO keys must be unlocked again, but I would not do so until after a couple of days, when you are sure nothing returns.
Then refer to these instructions to unlock the keys:

Start Regedt32 and browse to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer.
Select Browser Helper Objects. In menu Security choose Permissions.
In the dialog click the Advanced button and in the Advanced panel check 'Inherit from parents ...'. If the 'Inherit ...' box is already checked, first uncheck it; a dialog will appear with a.o. a button Copy. Click that, in the listpane above the same list of permissionholders should appear as was previously there.
Now check the 'Inherit ...' box and click OK.
On the main panel select all entries in the listpane and at the 'Full Access' item check the left box. On the main panel also check 'Inherit ...'. Click OK and close Regedt32.

That should be it.

If I may give some general recommendations to prevent future hijacks:

First install Windows XP Service Pack 1 from here.
Activate Windows XP Firewall.
Programs that guard against browser hijacking are Spywareguard and Spywareblaster (both free).
Use IE Spyads to add a number of dangerous sites to the restricted zone of Internet Explorer.

Good luck
_______
Wiskonst

Donate to Spywareinfo

#20 KingCrimson

KingCrimson

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 June 2004 - 03:03 PM

Okay. I found and deleted all the files you mentioned, except "C:\WINDOWS\nrzji.dll" which was not to be found.

As for the step "Empty the IE cache: menu Extra, Options, tab General, button Remove Files", I couldn't follow that exactly. Is that the same as this: menu Tools, Internet Options, tab General, button Delete Files...? Cause I did that instead. I'm pretty sure that empties the IE cache.

CWShredder said my system was clean after I ran a fix. And Ad-aware found and deleted a few little malware leftovers. Then when I ran an Ad-aware scan again, it found nothing.

As for unlocking the BHO's, I'll do as you recommend and wait a couple days on that.

Finally, thanks for everything you helped me with here. I've ususally been able to delete Spyware and such on my own in the past, but this stuff I got recently was killer. I can't thank you enough for showing me how to get rid of it all. I'll follow your recommended preventative procedures and hopefully I'll never have to go through this again. Thanks again. :D

#21 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 23 June 2004 - 04:46 PM

King Crimson

Just some small things:
If you did not install Lycos Sidesearch yourself, you may fix:
O9 - Extra button: Sidesearch (HKLM) .
WINDVDPatch is not necessary but can be a resource hog; to get rid of it fix:
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

That's all.

All the best
_______
Wiskonst




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button