• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
KingCrimson

Cannot run CWShredder or HijackThis

21 posts in this topic

Alright. It's become apparent that I have some version of CWS and maybe something else on my computer. My homepage keeps being reset to "res://mshp.dll/index.html#10213" or something similar. It's making not only my IE run incredibly slowly, but seemingly my entire system as well, even with IE closed. In addition, I'm having troubles running both HijackThis and CWShredder. They both downloaded fine, but whenever I double-click the icons, it will load for a second and then nothing will happen. I've tried this with both programs dozens of times and always the same results. Also, I downloaded Spybot S&D and Ad-Aware, but there are errors whenever I try to install them. The only anti-spyware program I have that runs properly is BHO Demon, and the results from that showed that I had some CWS variant.

 

However, despite the problems I've had running my anti-spyware programs, I don't think a "Hijacker Defender" is on my computer, because I am not blocked from going to related websites and I can at least access my anti-spyware programs. But, the problem still remains that they won't run. Does anyone know what I possibly have on my computer that's causing this and any way to fix it?

 

Since I can't run HijackThis, I'll show you my BHO Demon results, for what it's worth:

AcroIEHelper.dll

submithook.dll

googletoolbar1.dll

sysym.dll

mssearch.dll

msiesh.dll

(there's also CLSID codes next to each DLL name, but I won't bother including those right now)

Share this post


Link to post
Share on other sites

I tried running CWShredder and HijackThis in Safe Mode and they still wouldn't work. I've deleted and re-downloaded both of the programs a bunch of times too. But always the same problem. Does anyone know what's wrong?

Share this post


Link to post
Share on other sites

If it helps, I have a few other symptoms that I think may be a result of whatever I have on my computer. Some of these may not have anything to do with it, but all of these problems never occured until the other symptoms of the Malware were spotted.

 

-Whenever I try to install any program, I get an error saying:

 

"Setup was unable to create the directory [something in my 'Temp' folder].

 

Error 82: The directory or file cannot be created."

 

-Other occasions where a file has to be created in the "Temp" folder, I get similar Errors as the one above.

 

-Also, I keep getting occasional popups for multiple different things whenever I go to certain sites. The popups always get past my Google Toolbar popup blocker and are always titled "Only the Best".

 

-Some porn sites keep being added to my IE Favorites occasionally.

 

-I don't know if this has anything to do with the Malware on my computer, but Microsoft Word is no longer working correctly. I keep getting errors that involve the template "Normal". And I am only allowed to open Word files as Read-Only.

 

-I cannot run Adobe Photoshop. Another thing that may not have to do with the Malware.

 

-Every time I shut down or restart my computer, there is a problem ending MSN Messenger. I always have to hit the "End Now" button in a little window for MSN Messenger whenever I shut down.

 

Like I said before, I'm not entirely sure if any of these problems have to do with the Malware on my computer. But I thought I'd share them, since these problems didn't exist until I noticed oher symptoms. Also, I ran a Sophos Anti-Virus scan and it found no viruses on my computer. If I come up with any more clues as to what may be on my computer I'll post them here. And since I can't run HijackThis, does anyone know of any kind of log that I CAN post that may provide some more clues? Any help would be much appreciated. Thanks.

Share this post


Link to post
Share on other sites

Okay, I fixed some things in my system and was finally able to run CWShredder and HijackThis. Now, I've run CWShredder and it removed "Winshow". However, whenever I open IE, the same variant of CWS returns. I keep removing it, but it keeps coming back. Can anyone help me with this? I can run HijackThis now, so I can show you my log if you ask me to. Thanks.

Edited by KingCrimson

Share this post


Link to post
Share on other sites

KingCrimson

 

Yes please post the Hijack This log here.

Before that run an online virusscan.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Well, here's my HijackThis log. I've noticed lately that things are getting a little worse on my computer. It's become apparent that there's more than just CWS on there. A couple days back I suddenly started getting bombarded with more and more popups, desktop icons, new folders in my C:/ and registry. I'm not sure what caused this sudden surge of new problems, but they're there. But whatever. I hope this can help save my computer.

 

And I tried running that "online virusscan", but whenever I did, IE would have some error and close. So, that part I couldn't do.

 

Anyway, here it is...

 

Logfile of HijackThis v1.97.7

Scan saved at 7:30:49 PM, on 6/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE

C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\sdknl.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\znhpom.exe

C:\windows\temp\R.exe

C:\WINDOWS\sdkxm.exe

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\dp-him.exe

C:\Program Files\Common Files\slmss\slmss.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\uticbcp.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\Program Files\SETI@home\SETI@home.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\System32\vbaogsvc.exe

C:\Program Files\Sophos SWEEP for NT\ICMON.EXE

C:\Program Files\STC\ClrSchP070.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\Program Files\Hijacker Log\Hijacker Log.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpyha.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll

O2 - BHO: (no name) - {E744D294-2AA6-B5FC-A3C2-48601F4CDCDD} - C:\WINDOWS\mfcdo32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [pbhnqbjnwhag] C:\WINDOWS\System32\znhpom.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [R] C:\windows\temp\R.exe

O4 - HKLM\..\Run: [sdkxm.exe] C:\WINDOWS\sdkxm.exe

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

O4 - HKLM\..\Run: [x38T36V] uticbcp.exe

O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [g0r3RWZmW] vbaogsvc.exe

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: InterCheck Monitor.LNK = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Sidesearch (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38141.0128125

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by KingCrimson

Share this post


Link to post
Share on other sites

KingCrimson

 

You have a reinstalling variant of Coolwebsearch (and a number of other nasties).

Probably CWS is hindering the virusscan.

 

Could you download dllfix and unzip it to a folder (the download is a selfunzipper). Run Start.bat by doubleclicking it.

Choose option 1 (Find All). It will produce a textfile.

Please post the textfile here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Every time I click the "dllfix" link, I get a "HTTP 404 Not Found"/"The page cannot be displayed" window.

 

I get an error if I try "Save target as..." too.

Edited by KingCrimson

Share this post


Link to post
Share on other sites

KingCrimson

 

The link is dead. And a second one I checked too.

Please download Find All then and unzip it to a folder. Run Find_All.bat by doubleclicking.

Post the textfile it produces.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Okay, this is what it produced. I hope it's right:

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

 

»»»»»»Find-All recent updates:»»»»»»

*Size of Windows key

*Winlogon\notify

*UserInit value

*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)

*Versions of major keys and windows files

*list of active services and drivers (\'FilesList')

*Note:

If using 'Find-All' to clean, be sure to include the link to your

post in the forum!! (I keep recieving files I don't know where they came from...0-0...)

*Note: Reg backup restore will not work if current user

doesn't have 'Admin privileges'! (view »»Group/user section)

 

 

Fri Jun 18 16:36:17 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (8424:13E0) - FS:FAT clusters:16k

Total: 29 999 333 376 [28G] - Free: 4 593 385 472 [4.3G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;Q328676;Q323759;Q324929;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

 

»»M$Java version:

 

»»NotePad(s) version(s):

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.0 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe

 

 

»»PC uptime:

4:36pm up 0 days, 0:13

 

»»Locked or 'Suspect' file(s) found...

 

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Tasks (services):

0 System Process

4 System

428 SMSS.EXE

492 CSRSS.EXE Title:

516 WINLOGON.EXE Title: NetDDE Agent

560 SERVICES.EXE Svcs: Eventlog,PlugPlay

572 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

732 SVCHOST.EXE Svcs: RpcSs

804 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa

tibility,helpsvc,HidServ,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasA

uto,RasMan,Schedule,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,Trk

Wks,uploadmgr

900 SVCHOST.EXE Svcs: Dnscache

912 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

1084 SPOOLSV.EXE Svcs: Spooler

1236 ATI2EVXX.EXE Svcs: Ati HotKey Poller

1312 SVCHOST.EXE Svcs: stisvc

1332 SWNETSUP.EXE Svcs: SweepNet

1364 SWEEPSRV.SYS Svcs: SWEEPSRV.SYS

1536 MsPMSPSv.exe Svcs: WMDM PMSP Service

1684 EXPLORER.EXE Title: Program Manager

1816 SDKNL.EXE Svcs: __NS_Service_2

1896 CTHELPER.EXE Title: CtHelper

1956 ATIPTAXX.EXE Title: ATI Tray Icon Application

2004 P2P Networking.eP2P Networking UpdateTitle: P2P Networking Update

2024 RUNDLL32.EXE Title:

2044 znhpom.exe Title: OleMainThreadWndName

168 R.exe Title:

184 SDKXM.EXE

304 IEHost.EXE Title: MCI command handling window

684 dp-him.exe Title:

744 RUNDLL32.EXE Title:

776 uticbcp.exe

976 AutoUpdate.exe

1140 pcsvc.exe Title:

896 dpi.exe Title:

1180 updmgr.exe Title:

1296 SETI@home.exe Title: SETI@Home Client

1260 MSNMSGR.EXE Title: Starfire - Conversation

1568 AIM.EXE Title:

1556 vbaogsvc.exe

1560 ICMON.EXE Title: InterCheck Monitor

2400 RUNDLL32.EXE Title:

3240 iexplore.exe Title: SWI Forums -> Cannot run CWShredder or HijackThis - Microsoft Internet Explorer

3896 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3972 ntvdm.exe

4052 iexplore.exe Title:

616 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ReadMe-BHODemon]

@="This BHO has been enabled by BHODemon."

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E744D294-2AA6-B5FC-A3C2-48601F4CDCDD}]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»UserInit value:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

 

5.1.2600.0 C:\WINDOWS\System32\userinit.exe

--a-- W32i APP ENU 5.1.2600.0 shp 21,504 08-23-2001 userinit.exe

 

»»Group/user settings:

 

 

User: [TYLER\Tyler Oas], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group TYLER\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx No permissions are set. All user have full control.

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

File not found - C:\WINDOWS\System32\Drivers\etc\hosts

------

»»Rehash:

 

»Strings found:

 

Fri Jun 18 16:36:48 2004 -- ++Find-All backups:

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-18-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 594 06-18-2004 findallappinit.reg

A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\winBackup.hiv

A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\modules.txt

A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\services.txt

A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\drivers.txt

A C:\DOCUME~1\TYLERO~1\MYDOCU~1\Find-All\Fileslist\windows.txt

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Download the Killbox and unzip it to a folder.

Run the Killbox without having any browser windows open.

In the box 'Paste full path of file to delete' copy and paste 'C:\WINDOWS\mfcdo32.dll' (without quotes). In menu Action choose Delete on reboot. A panel called 'PendingFilerenameOperations' opens. Here in menu File choose Add File. The mfcdo32.DLL file will be added. Now in menu Action choose 'Process and Reboot'.

When asked to reboot click OK.

 

After the reboot go to Task Manager and finish the following processes if you find them running:

- C:\WINDOWS\system32\sdknl.exe

- C:\WINDOWS\System32\znhpom.exe

- C:\windows\temp\R.exe

- C:\WINDOWS\sdkxm.exe

- C:\WINDOWS\System32\IEHost.exe

- C:\WINDOWS\System32\dp-him.exe

- C:\Program Files\Common Files\slmss\slmss.exe

- C:\WINDOWS\System32\uticbcp.exe

- C:\Program Files\STC\ClrSchP070.exe

 

Then run CWShredder and let it do a fix.

 

Then fix from Hijack This these lines if they are still there:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vpyha.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vpyha.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vpyha.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {E744D294-2AA6-B5FC-A3C2-48601F4CDCDD} - C:\WINDOWS\mfcdo32.dll

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [pbhnqbjnwhag] C:\WINDOWS\System32\znhpom.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [R] C:\windows\temp\R.exe

O4 - HKLM\..\Run: [sdkxm.exe] C:\WINDOWS\sdkxm.exe

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

O4 - HKLM\..\Run: [x38T36V] uticbcp.exe

O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [g0r3RWZmW] vbaogsvc.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - <http://www.blizzard.com/register/wowbeta/si.cab>

 

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.

 

Then please a fresh Hijack This log.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Thanks for all this. I think it's starting to work better already. Here's my new HijackThis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:48:47 PM, on 6/21/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE

C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\msmj.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Common Files\Dpi\dpi.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\WINDOWS\System32\uticbcp.exe

C:\WINDOWS\system32\crmh.exe

C:\Program Files\SETI@home\SETI@home.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Sophos SWEEP for NT\ICMON.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Hijacker Log\Hijack This.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrzji.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrzji.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrzji.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrzji.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nrzji.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nrzji.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll

O2 - BHO: (no name) - {C17618EA-80F0-B763-1419-F55243440287} - C:\WINDOWS\system32\sysjl32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [AutoLoaderxwrv1IIkNRLP] "C:\WINDOWS\System32\uticbcp.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [crmh.exe] C:\WINDOWS\system32\crmh.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu

O4 - HKLM\..\RunOnce: [msmj.exe] C:\WINDOWS\msmj.exe

O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe

O4 - HKLM\..\RunOnce: [sdkph32.exe] C:\WINDOWS\sdkph32.exe

O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe

O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\system32\ntoa.exe

O4 - HKLM\..\RunOnce: [d3se32.exe] C:\WINDOWS\system32\d3se32.exe

O4 - HKLM\..\RunOnce: [winjl.exe] C:\WINDOWS\system32\winjl.exe

O4 - HKLM\..\RunOnce: [msbi.exe] C:\WINDOWS\system32\msbi.exe

O4 - HKLM\..\RunOnce: [addkb32.exe] C:\WINDOWS\system32\addkb32.exe

O4 - HKLM\..\RunOnce: [mfcyj32.exe] C:\WINDOWS\mfcyj32.exe

O4 - HKLM\..\RunOnce: [nten32.exe] C:\WINDOWS\system32\nten32.exe

O4 - HKLM\..\RunOnce: [javaoi32.exe] C:\WINDOWS\javaoi32.exe

O4 - HKLM\..\RunOnce: [crni.exe] C:\WINDOWS\system32\crni.exe

O4 - HKLM\..\RunOnce: [crwo32.exe] C:\WINDOWS\crwo32.exe

O4 - HKLM\..\RunOnce: [msgj32.exe] C:\WINDOWS\msgj32.exe

O4 - HKLM\..\RunOnce: [sysrg.exe] C:\WINDOWS\sysrg.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: InterCheck Monitor.LNK = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Sidesearch (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38141.0128125

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

KingCrimson

 

Some trojans have disappeared but a number remain.

Please download The Cleaner, install it with the latest database and let it do a scan.

 

The Coolwebsearch reinstaller came back under another name.

We must restrain it by locking the BHO registry keys.

 

Please do the following with all browser windows closed:

Go to Start > Run and type 'regedt32' (without quotes).

Select window 'HKEY_LOCAL_MACHINE'.

In the left pane browse to Software > Microsoft > Windows > CurrentVersion > Explorer by doubleclicking on these items consecutively.

In Explorer select 'Browser Helper Objects'.

In menu Security choose Edit Permissions. A panel appears.

The upper listpane in the panel must be empty. If it is not select the lines one by one and click the Remove button at the right until the pane is empty.

Then click the Advanced button below. A second panel appears.

Here uncheck 'Inherit from parents the permissions ...' and click OK.

In the main dialog also uncheck 'Inherit from parents ...' and click OK.

Close Regedt32.

 

Then could you do the same operation with Killbox but now for 'C:\WINDOWS\system32\sysjl32.dll' ?

(Paste in box 'Paste full path ...' till Process and Reboot, see previous post).

 

Please a new Hijack This log.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Okay, did all you said. Here's my new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:36:12 AM, on 6/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE

C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\msmj.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\SETI@home\SETI@home.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Hijacker Log\Hijack This.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suikonline.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu

O4 - HKLM\..\RunOnce: [msmj.exe] C:\WINDOWS\msmj.exe

O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe

O4 - HKLM\..\RunOnce: [sdkph32.exe] C:\WINDOWS\sdkph32.exe

O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe

O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\system32\ntoa.exe

O4 - HKLM\..\RunOnce: [d3se32.exe] C:\WINDOWS\system32\d3se32.exe

O4 - HKLM\..\RunOnce: [winjl.exe] C:\WINDOWS\system32\winjl.exe

O4 - HKLM\..\RunOnce: [msbi.exe] C:\WINDOWS\system32\msbi.exe

O4 - HKLM\..\RunOnce: [addkb32.exe] C:\WINDOWS\system32\addkb32.exe

O4 - HKLM\..\RunOnce: [mfcyj32.exe] C:\WINDOWS\mfcyj32.exe

O4 - HKLM\..\RunOnce: [nten32.exe] C:\WINDOWS\system32\nten32.exe

O4 - HKLM\..\RunOnce: [javaoi32.exe] C:\WINDOWS\javaoi32.exe

O4 - HKLM\..\RunOnce: [crni.exe] C:\WINDOWS\system32\crni.exe

O4 - HKLM\..\RunOnce: [crwo32.exe] C:\WINDOWS\crwo32.exe

O4 - HKLM\..\RunOnce: [msgj32.exe] C:\WINDOWS\msgj32.exe

O4 - HKLM\..\RunOnce: [sysrg.exe] C:\WINDOWS\sysrg.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Sidesearch (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38141.0128125

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

EDIT: Changed log posted. I posted the wrong one earlier.

Edited by KingCrimson

Share this post


Link to post
Share on other sites

KingCrimson

 

OK, most of the hijack has gone now.

To be on the safe side, do the following:

 

Go to Task Manager and finish this process:

C:\WINDOWS\msmj.exe

If you still see it, this one too:

C:\WINDOWS\system32\crmh.exe

 

Go to Start > Run and type 'services.msc' (without quotes) and press Enter.

A window with a list of services comes up. In the righthand pane in the first column click on the grey column header ('Name') to sort the list alphabethically.

Find the service named "Network Security Service". When found, select it, doubleclick on it. Click button Stop, and in dropdown menu Startup Type choose Disable. Then click OK and close the services window.

 

Then fix from Hijack This all Runonce entries (HKLM as well as HKCU), except:

O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu .

 

Then reboot.

 

As you have a fairly new type of Coolwebsearch, we would like to have copies of some files for analysis. If you have a zip facility, could you zip up the following files (make copies first):

- C:\WINDOWS\system32\sysjl32.dll

- C:\WINDOWS\nrzji.dll

- C:\WINDOWS\msmj.exe

- C:\WINDOWS\system32\crmh.exe

- C:\WINDOWS\system32\vpyha.dll

- C:\WINDOWS\mfcdo32.dll

Some of them may no longer be found.

I will PM you an e-mail adress to send them to, if that's allright with you.

Thank you very much in advance.

 

Then please one more Hijack This log.

A question: is www.suikonline.net the start page of your own choice?

_______

Wiskonst

Share this post


Link to post
Share on other sites

Okay, first of all, the only of those files you mentioned that could be found were "C:\WINDOWS\msmj.exe" and "C:\WINDOWS\system32\crmh.exe", but I went ahead and zipped up copies of them like you said. When I used "The Cleaner" I think it deleted all the others. If not, then HijackThis maybe did it. And, yes, www.suikonline.net is a startpage of my own choosing. Finally, here is my latest HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:34:18 PM, on 6/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE

C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\SETI@home\SETI@home.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\Program Files\Hijacker Log\Hijack This.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suikonline.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Sidesearch (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38141.0128125

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

KingCrimson

 

OK, the log is clean.

Time for the cleanup of the files.

 

Set Explorer to display hidden files and delete these files if you still find them:

C:\WINDOWS\msmj.exe

C:\WINDOWS\system32\crmh.exe

C:\WINDOWS\msmj.exe

C:\WINDOWS\system32\sysvy.exe

C:\WINDOWS\sdkph32.exe

C:\WINDOWS\appmf.exe

C:\WINDOWS\system32\ntoa.exe

C:\WINDOWS\system32\d3se32.exe

C:\WINDOWS\system32\winjl.exe

C:\WINDOWS\system32\msbi.exe

C:\WINDOWS\system32\addkb32.exe

C:\WINDOWS\mfcyj32.exe

C:\WINDOWS\system32\nten32.exe

C:\WINDOWS\javaoi32.exe

C:\WINDOWS\system32\crni.exe

C:\WINDOWS\crwo32.exe

C:\WINDOWS\msgj32.exe

C:\WINDOWS\sysrg.exe

C:\WINDOWS\nrzji.dll <-- this one I reckon should still be there

 

Also empty the temporary folders:

- C:\Windows\Temp

- C:\Documents and Settings\<name>\Local Settings\Temp

Empty the IE cache: menu Extra, Options, tab General, button Remove Files.

 

It may be advisable to run a fix with CWShredder and a scan with Ad Aware afterwards.

 

Then the BHO keys must be unlocked again, but I would not do so until after a couple of days, when you are sure nothing returns.

Then refer to these instructions to unlock the keys:

 

Start Regedt32 and browse to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer.

Select Browser Helper Objects. In menu Security choose Permissions.

In the dialog click the Advanced button and in the Advanced panel check 'Inherit from parents ...'. If the 'Inherit ...' box is already checked, first uncheck it; a dialog will appear with a.o. a button Copy. Click that, in the listpane above the same list of permissionholders should appear as was previously there.

Now check the 'Inherit ...' box and click OK.

On the main panel select all entries in the listpane and at the 'Full Access' item check the left box. On the main panel also check 'Inherit ...'. Click OK and close Regedt32.

 

That should be it.

 

If I may give some general recommendations to prevent future hijacks:

 

First install Windows XP Service Pack 1 from here.

Activate Windows XP Firewall.

Programs that guard against browser hijacking are Spywareguard and Spywareblaster (both free).

Use IE Spyads to add a number of dangerous sites to the restricted zone of Internet Explorer.

 

Good luck

_______

Wiskonst

 

Donate to Spywareinfo

Share this post


Link to post
Share on other sites

Okay. I found and deleted all the files you mentioned, except "C:\WINDOWS\nrzji.dll" which was not to be found.

 

As for the step "Empty the IE cache: menu Extra, Options, tab General, button Remove Files", I couldn't follow that exactly. Is that the same as this: menu Tools, Internet Options, tab General, button Delete Files...? Cause I did that instead. I'm pretty sure that empties the IE cache.

 

CWShredder said my system was clean after I ran a fix. And Ad-aware found and deleted a few little malware leftovers. Then when I ran an Ad-aware scan again, it found nothing.

 

As for unlocking the BHO's, I'll do as you recommend and wait a couple days on that.

 

Finally, thanks for everything you helped me with here. I've ususally been able to delete Spyware and such on my own in the past, but this stuff I got recently was killer. I can't thank you enough for showing me how to get rid of it all. I'll follow your recommended preventative procedures and hopefully I'll never have to go through this again. Thanks again. :D

Share this post


Link to post
Share on other sites

King Crimson

 

Just some small things:

If you did not install Lycos Sidesearch yourself, you may fix:

O9 - Extra button: Sidesearch (HKLM) .

WINDVDPatch is not necessary but can be a resource hog; to get rid of it fix:

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

 

That's all.

 

All the best

_______

Wiskonst

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0