Jump to content


Photo

a few problems


  • Please log in to reply
29 replies to this topic

#1 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 27 May 2004 - 08:33 AM

hii - this is my first post in this forum

i have the following problems (windows xp home eddition)

1. www.errorplace.com at least following 2 sites.
2. home page changing to : about:blank and the page is
SEARCH FOR ...
3. when i try the one particular address
http://www.passwordfactory.com/forums/
the connection (adsl) is always disconnecting
and i have to re connect.


help me - please

thanks in advance

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 08:50 AM

hii - this is my first post in this forum

i have the following problems (windows xp home eddition)

1. www.errorplace.com at least following 2 sites.
2. home page changing to : about:blank and the page is
                                        SEARCH FOR ...
3. when i try the one particular address 
    http://www.passwordfactory.com/forums/
    the connection (adsl) is always disconnecting
    and i have to re connect.


help me - please

thanks in advance

For #1+2:

Download, *UNzip Find-All.zip:
http://freeatlast.10...om/Find-All.zip

Run -> Find-All.cmd, follow instructions and post the log!

For #3... Umm :ph34r: You're better off.
p04n contents, extremly XXXrated.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 27 May 2004 - 10:29 AM

following is the log :

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Thu May 27 18:25:09 2004 -- ??Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
E: "" (7745:02C9) - FS:NTFS clusters:4k
Total: 40 328 511 488 [38G] - Free: 11 687 530 496 [11G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
6:25pm up 0 days, 3:14

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
640 smss.exe
688 csrss.exe Title:
712 winlogon.exe Title: NetDDE Agent
756 services.exe Svcs: Eventlog,PlugPlay
768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
972 svchost.exe Svcs: RpcSs
1016 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu
e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them
s,TrkWks,upl
1120 svchost.exe Svcs: Dnscache
1144 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient
1296 spoolsv.exe Svcs: Spooler
1436 alg.exe Svcs: ALG
1452 Crypserv.exe Svcs: Crypkey License
1540 GhostStartService.exeSvcs: GhostStartService
1704 nvsvc32.exe Svcs: NVSvc
1728 scardsvr.exe Svcs: SCardSvr
1760 slserv.exe Svcs: SLService
1840 SMAgent.exe Svcs: SoundMAX Agent Service (default)
1896 svchost.exe Svcs: stisvc
1920 Tmntsrv.exe Svcs: Tmntsrv
1968 WFXSVC.EXE Svcs: wfxsvc
2036 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem
2040 explorer.exe Title: Program Manager
468 PCCPFW.exe Svcs: PCCPFW
532 SMax4PNP.exe Title: SMax4PNP
544 SMax4.exe Title: SoundMax4
556 pccguide.exe Title: PC-cillin Online Registration
568 PCCClient.exe Title: Update...
576 Pop3trap.exe Title: Virus Detected!
632 winh.exe
668 xPlC2.exe Title:
820 wupdater.exe Title:
1040 winampa.exe Title:
1080 pcnrl.exe Title:
1496 realsched.exe Title: Notification Wnd for RNAdmin
1560 omniscient.exe Title:
1692 ctfmon.exe Title:
2068 rundll32.exe Title: MediaCenter
2104 Popupkiller.exe Title: MCI command handling window
2116 iexplore.exe Title: Internet Explorer
2156 alarm.exe Title:
2216 mapiicon.exe Title: ADSL A2 ICON
2232 WFXCTL32.EXE Title:
2448 emule.exe Title:
2768 wuauclt.exe Title: Auto Update Client Window
2992 SecurityToolsObj.exeSvcs: SecurityToolsObj
2960 flashget.exe Title:
3128 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3376 ntvdm.exe
2952 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]
"KeyVersion"="2.0.1"
"BHOVersion"="2.0.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB512A7E-AE3E-46D2-97AE-EF17E8F18F26}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
@="XMLMimeFilter MIME Filter Sample"
"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Group/user settings:


User: [NEW\Owner], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group NEW\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
NEW\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR:
»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Thu May 27 18:25:14 2004 -- ??Find-All 'Windows'.hiv .reg list:
A E:\SPYWAR~1\1-27-0~1\Find-All\winBackup.hiv
A E:\SPYWAR~1\1-27-0~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 12:40 PM

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ WINBLJ.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 27 May 2004 - 01:54 PM

hii this is the new log

after restarting it seems to me that "applnit.dll" is back again.
i could not find "system32\winblj.dll

------------------------------------------------
--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Thu May 27 21:43:11 2004 -- ??Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
E: "" (7745:02C9) - FS:NTFS clusters:4k
Total: 40 328 511 488 [38G] - Free: 11 687 452 672 [11G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
9:43pm up 0 days, 0:09

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
640 smss.exe
688 csrss.exe Title:
712 winlogon.exe Title: NetDDE Agent
756 services.exe Svcs: Eventlog,PlugPlay
768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
980 svchost.exe Svcs: RpcSs
1024 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu
e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them
s,TrkWks,upl
1128 svchost.exe Svcs: Dnscache
1152 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient
1340 spoolsv.exe Svcs: Spooler
1448 alg.exe Svcs: ALG
1628 Crypserv.exe Svcs: Crypkey License
1676 GhostStartService.exeSvcs: GhostStartService
1744 nvsvc32.exe Svcs: NVSvc
1808 scardsvr.exe Svcs: SCardSvr
1852 slserv.exe Svcs: SLService
1860 explorer.exe Title: Program Manager
1876 SMAgent.exe Svcs: SoundMAX Agent Service (default)
1928 svchost.exe Svcs: stisvc
1968 Tmntsrv.exe Svcs: Tmntsrv
2036 WFXSVC.EXE Svcs: wfxsvc
248 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem
472 PCCPFW.exe Svcs: PCCPFW
528 SMax4PNP.exe Title: SMax4PNP
536 SMax4.exe Title: SoundMax4
544 pccguide.exe Title: PC-cillin Online Registration
556 PCCClient.exe Title: Update...
568 Pop3trap.exe Title: Virus Detected!
620 winh.exe
656 xPlC2.exe Title:
676 wupdater.exe Title:
972 winampa.exe Title:
1188 pcnrl.exe Title:
1532 realsched.exe Title: Notification Wnd for RNAdmin
1552 omniscient.exe Title:
1592 ctfmon.exe Title:
1664 rundll32.exe Title: MediaCenter
1732 Popupkiller.exe Title:
1704 iexplore.exe Title: Internet Explorer
2088 alarm.exe Title:
2152 mapiicon.exe Title: ADSL A2 ICON
2180 WFXCTL32.EXE Title:
2584 wuauclt.exe Title: Auto Update Client Window
3128 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3160 ntvdm.exe
3204 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]
"KeyVersion"="2.0.1"
"BHOVersion"="2.0.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB512A7E-AE3E-46D2-97AE-EF17E8F18F26}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
@="XMLMimeFilter MIME Filter Sample"
"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access NEW\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access NEW\Owner



»»Group/user settings:


User: [NEW\Owner], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group NEW\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
NEW\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR:
»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Thu May 27 21:43:14 2004 -- ??Find-All 'Windows'.hiv .reg list:
A E:\SPYWAR~1\1-27-0~1\Find-All\winBackup.hiv
A E:\SPYWAR~1\1-27-0~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 11:40 PM

Repeat the same steps here:
http://www.spywarein...indpost&p=11318

It wasn't done properly.
Step 1 is to rename the 'Windows' subfolder.
Step2 is to delete the 'AppInit' value.
Step 3 is to rename windows1 back to original.
If you deleted the APpInit during the time
the Windows subfolder was renamed, it
wouldn't have come back.

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

1.-RightClick on the Windows Subfolder,
And rename Windows as Windows1

2.-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

3.-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

4-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

5-Close regedit, *restart computer!

6.--Navigate to System32 folder, Search
for System32\ WINBLJ.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

7.Re-run 'Find-All.cmd' and post new log!


Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 28 May 2004 - 08:03 AM

hii

i did twice exactly what you instructed
but the "applnit_dlls" is back
and WINBLJ.DLL cannot be found

still waiting ..... thanks

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 May 2004 - 10:01 AM

Try the following options:

Download Registrar Lite and install it.
http://www.resplendence.com/reglite

Run, type the key into reglite's Address bar:
(hit 'go)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

DoubleClick on the 'AppInit_Dlls' value.
You should see this line in the data editor:
C:\WINDOWS\System32\WINBLJ.DLL

RightClick on the 'Windows' Subfolder on left
pane marked in purple, and rename it to 'NotWindows'.

DoubleClick on the 'AppInit_Dlls' again, and clear the data (value)
Delete this: C:\WINDOWS\System32\WINBLJ.DLL
Hit 'apply' and 'ok' to set!

Rename the 'NotWindows' back to 'Windows'.

Close reglite. Reopen, check whether the data returned.
If not, restart computer and check again.
As long as the data is listed there, you won't
be able to find the 'hidden' file.

If no luck, repeat exact same steps, but this time:
-Rename the 'Windows' Subfolder to 'NotWindows',
Clear the Data, and rename the 'AppInit_Dlls' to 'NotAppInit'.
Rename the 'NotWindows' back to 'Windows', but leave
the 'NotAppInit' renamed.
Reboot and check it again.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``
Ummm... What settings do you have there?
According to the system info your
main root drive is "E", yet according to
the log your %SystemDrive% is C:\...
Where is your windows installation?
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 28 May 2004 - 11:02 AM

hii

i followed your latest steps.

1. following the steps - data returned.
2. following the second set of steps (renaming to notapplnit
and leaving it with this name.
and following the reboot i got a new line
"applnit..." and also the "not applnit..."

when i run regedit i see those two lines as well

3. the green arrowed icon "search" on the
task bar that appeared in the last few days
and should not be there is not present any more.
4. windows xp is in drive C: .

#10 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 28 May 2004 - 11:27 AM

following is the log file :

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Fri May 28 19:26:51 2004 -- ??Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
E: "" (7745:02C9) - FS:NTFS clusters:4k
Total: 40 328 511 488 [38G] - Free: 11 508 490 240 [11G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
7:26pm up 0 days, 0:34

»»Locked or 'Suspect' file(s) found...
»»Tasks (services):
0 System Process
4 System
640 smss.exe
688 csrss.exe Title:
712 winlogon.exe Title: NetDDE Agent
756 services.exe Svcs: Eventlog,PlugPlay
768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
976 svchost.exe Svcs: RpcSs
1020 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu
e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them
s,TrkWks,upl
1124 svchost.exe Svcs: Dnscache
1148 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient
1304 spoolsv.exe Svcs: Spooler
1440 alg.exe Svcs: ALG
1456 Crypserv.exe Svcs: Crypkey License
1664 GhostStartService.exeSvcs: GhostStartService
1732 nvsvc32.exe Svcs: NVSvc
1800 scardsvr.exe Svcs: SCardSvr
1816 explorer.exe Title: Program Manager
1852 slserv.exe Svcs: SLService
1884 SMAgent.exe Svcs: SoundMAX Agent Service (default)
1920 svchost.exe Svcs: stisvc
1940 Tmntsrv.exe Svcs: Tmntsrv
1992 WFXSVC.EXE Svcs: wfxsvc
180 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem
384 PCCPFW.exe Svcs: PCCPFW
520 SMax4PNP.exe Title: SMax4PNP
528 SMax4.exe Title: SoundMax4
536 pccguide.exe Title: PC-cillin Online Registration
544 PCCClient.exe Title: Update...
552 Pop3trap.exe Title: Virus Detected!
580 winh.exe
592 xPlC2.exe Title:
628 wupdater.exe Title:
684 winampa.exe Title:
692 pcnrl.exe Title:
916 realsched.exe Title: Notification Wnd for RNAdmin
968 omniscient.exe
1068 ctfmon.exe Title:
1072 rundll32.exe Title: MediaCenter
1088 Popupkiller.exe Title:
1096 iexplore.exe Title: Internet Explorer
1184 alarm.exe Title:
1228 mapiicon.exe Title: ADSL A2 ICON
1536 WFXCTL32.EXE Title:
2540 wuauclt.exe Title: Auto Update Client Window
3928 emule.exe Title:
560 IEXPLORE.EXE Title: SWI Forums -> a few problems - Microsoft Internet Explorer
516 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
488 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2596 ntvdm.exe
2628 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"notAppInit_DLLs"=""
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]
"KeyVersion"="2.0.1"
"BHOVersion"="2.0.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB512A7E-AE3E-46D2-97AE-EF17E8F18F26}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
@="XMLMimeFilter MIME Filter Sample"
"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access NEW\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access NEW\Owner



»»Group/user settings:


User: [NEW\Owner], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group NEW\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
NEW\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR:
»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Fri May 28 19:26:56 2004 -- ??Find-All 'Windows'.hiv .reg list:
A E:\spywareinfo\1-27-05-04\Find-All\winBackup.hiv
A E:\spywareinfo\1-27-05-04\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 May 2004 - 12:11 PM

Hmmm..
Im confused.
What have you done?
IS the data value visible in reglite?

What's on Drive "E", exactly?
Is that a bootable partition?

»»System Info:

Microsoft Windows XP [Version 5.1.2600]
E: "" (7745:02C9) - FS:NTFS clusters:4k
Total: 40 328 511 488 [38G] - Free: 11 508 490 240 [11G]

And whats up with these?
536 pccguide.exe Title: PC-cillin Online Registration
544 PCCClient.exe Title: Update...
552 Pop3trap.exe Title: Virus Detected!
580 winh.exe
592 xPlC2.exe Title:
628 wupdater.exe Title:

Looks like you have other baddies to take care of, first.
And it would help if you run the Find-all
from the affected drive.

Can you list your drive(s) details, and download:
http://www.spywarein.../hijackthis.zip
Run, save the results and post the log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 28 May 2004 - 03:52 PM

the log from hijackthis :

Logfile of HijackThis v1.97.7
Scan saved at 23:39:33, on 28/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\WFXSVC.EXE
E:\program files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\xPlC2.exe
C:\Program Files\Common files\updater\wupdater.exe
E:\program files\Winamp\winampa.exe
C:\WINDOWS\pcnrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
C:\WINDOWS\System32\iexplore.exe
E:\program files\Chaos Software2\Chaos 6\alarm.exe
C:\WINDOWS\system32\mapiicon.exe
E:\program files\Symantec\WinFax\WFXCTL32.EXE
C:\WINDOWS\System32\wuauclt.exe
E:\program files\תוכנות אינטרנט\e-mule\eMule\emule.exe
E:\program files\Compass\Compass.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\program files\Winamp\winamp.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\taboo.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll
O2 - BHO: (no name) - {FB512A7E-AE3E-46D2-97AE-EF17E8F18F26} - C:\WINDOWS\wdrz.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [m2v76960] C:\WINDOWS\xPlC2.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [fwed] C:\WINDOWS\pcnrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DesktopProf] c:\windows\pulpit.exe ukrt
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKCU\..\Run: [Internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe
O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: IEToolbarCab - http://www.dailytool...yToolbarAff.CAB
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poa...abs/arpkcom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getm...s/installer.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ice_4_EN_XP.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://www.trafficho...2/winalot32.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...TInc/bridge.cab
O16 - DPF: {AD684060-16D6-40C3-AF27-53956783430D} - http://www.xpehbam.biz/exploit.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downlo...034_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

------------------------------------------------------------------------------

a few answers :

the data is visible in reg lite for "applnit_dlls"
not visible for "not applnit..."

when i baught the computer it had 120 gb hard drive.

in the shop they divided it to 3 paritions .
when i open "my computer"
each partition C E & F is "local disk flie system NTFS"

the bootable and windows is the C.

items 536 544 552 are in the pc cillin 2002 anti virus program
628 is updater application in c:\program files\common files\updater
about 580 is is an application in c:\windows



THIS IS ALL FOR THE MOMENT

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 04:52 AM

Kewl!

I see you have Hebrew Lang Support... ;) Shal0m

You have quite a few viral elements there.
Let's try and kill them all first, and leave the 'hidden' problem for last.

In hijackthis fix checked:



F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {FB512A7E-AE3E-46D2-97AE-EF17E8F18F26} - C:\WINDOWS\wdrz.dll
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [m2v76960] C:\WINDOWS\xPlC2.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [fwed] C:\WINDOWS\pcnrl.exe
O4 - HKLM\..\Run: [Internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DesktopProf] c:\windows\pulpit.exe ukrt
O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKCU\..\Run: [Internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe
O16 - DPF: IEToolbarCab - http://www.dailytool...yToolbarAff.CAB
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getm...s/installer.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ice_4_EN_XP.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://www.trafficho...2/winalot32.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...TInc/bridge.cab
O16 - DPF: {AD684060-16D6-40C3-AF27-53956783430D} - http://www.xpehbam.biz/exploit.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downlo...034_pack_XP.cab


Restart in Safe Mode after fixing these , re-run hijackthis
again, and be sure all pointed lines are gone.

Find and delete:
C:\Windows\System32\wsaupdater.exe,
iexplore.exe, iexplore32w.exe
slserv.exe
files
(*Don't confuse with Explorer in windows
and iExplore in program files which are
naturally legit, your imposters in System32 are all *viral!)
C:\WINDOWS\winh.exe, xPlC2.exe, pcnrl.exe, alchem.exe files
C:\Program Files\Common files\updater folder
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\taboo.exe

That's in a quick surface scan.
I'm not sure I got everything.

When done, run all these online
AV scanners, allow them to clean:

Computer Associates eTrust Antivirus Web Scanner

Panda ActiveScan - Free online scanner

BitDefender Scan Online

And Download and run: McAfee AVERT Stinger

When you have done all that, visit:
http://windowsupdate.microsoft.com
Scan and apply any and all security patches on offer.

Run these tools, have them fix all problems:
*Ad-Aware6:
http://www.lavasoftu...ftware/adaware/

*Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

*http://www.spywarein.../CWShredder.exe

These won't completely cure the 'AboutBlank' issue, but yet
that is the least of your problems.

When done, repost fresh hijackthis log.

Edited by freeatlast, 29 May 2004 - 05:41 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 29 May 2004 - 02:25 PM

hii

i did all the steps

a lot of work

you seem to be an expert !

----------------------------------------------------
following id hijackthis log :

Logfile of HijackThis v1.97.7
Scan saved at 22:23:56, on 29/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\WFXSVC.EXE
E:\program files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
E:\program files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
E:\program files\Chaos Software2\Chaos 6\alarm.exe
C:\WINDOWS\system32\mapiicon.exe
E:\program files\Symantec\WinFax\WFXCTL32.EXE
E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poa...abs/arpkcom.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 04:57 PM

Well done!

We're still left with the other problem.

Try repeating the same steps as before to rename
the 'Windows' folder and delete the data.
After renaming the 'Windows' Subfolder, leave the
registry open and wait for about 10~20 seconds.
Delete both 'AppInit_Dlls' values.
Wait few seconds and rename Windows1 back to Windows.
As was pointed here:
http://www.spywarein...indpost&p=11945

P.S
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

Stands for some dodgy search assistant on the task bar.
You should be able to find uninstaller in Add/remove.
Uninstall and delete the folder (if left) from program files.

And find and delete this cr@p:
c:\windows\pulpit.exe if still there. (left off your previous post)

Edited by freeatlast, 29 May 2004 - 05:53 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 30 May 2004 - 11:49 AM

hii again !

1. u tried twice to delete "applinit..."
but following the restart of the computer
this utem is back again.

2. i deleted the folder \windowsSA
could not find this program at the add/remove.

3. i deleted pulpit.exe

4. on the task bar there is a button : "search"
with a place to type the item i want to search
this button is for "blaze find,google,yahoo or msn"

following is the present hijackthis log :

Logfile of HijackThis v1.97.7
Scan saved at 19:43:45, on 30/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\WFXSVC.EXE
E:\program files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
E:\program files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
E:\program files\Chaos Software2\Chaos 6\alarm.exe
C:\WINDOWS\system32\mapiicon.exe
E:\program files\Symantec\WinFax\WFXCTL32.EXE
E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poa...abs/arpkcom.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9



that's all for the moment
thanks

#17 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 May 2004 - 06:33 AM

***Edited for new steps:***

*In reglite or regedit open the 'Windows' key.
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)

*RightClick on the Windows Subfolder,
And rename Windows as Windows1

**Restart computer!!!
(That key won't be loaded)

*Find:
C:\WINDOWS\System32\*WINBLJ.DLL
as it should be visible, and
use the folder's top menu
option : "Edit-> Move to folder..."
*Browse to and select: C:\junkxxx folder
'ok' it.

In regedit/reglite-
*Rename the Windows1 back to it's
original name, Windows.

*RightClick on Any 'AppInit.../'notAppInit' Values(only!) left on the
right pane and delete.

*Re-run 'Find-All.cmd and post the log.


And do this as well:
In hijackthis>config>misc tools
*generate startup list and post it.
(Check the other extra check boxes as well)

Edited by freeatlast, 31 May 2004 - 08:09 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#18 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 31 May 2004 - 11:51 AM

hii

here is the "find all" output file :

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Mon May 31 19:46:38 2004 -- ??Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
E: "" (7745:02C9) - FS:NTFS clusters:4k
Total: 40 328 511 488 [38G] - Free: 11 401 306 112 [11G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
7:46pm up 0 days, 0:04

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
640 smss.exe
688 csrss.exe Title:
712 winlogon.exe Title: NetDDE Agent
756 services.exe Svcs: Eventlog,PlugPlay
768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
964 svchost.exe Svcs: RpcSs
1012 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu
e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them
s,TrkWks,upl
1116 svchost.exe Svcs: Dnscache
1140 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient
1272 spoolsv.exe Svcs: Spooler
1436 alg.exe Svcs: ALG
1452 Crypserv.exe Svcs: Crypkey License
1492 GhostStartService.exeSvcs: GhostStartService
1656 explorer.exe Title: Program Manager
1724 nvsvc32.exe Svcs: NVSvc
1772 scardsvr.exe Svcs: SCardSvr
1852 SMAgent.exe Svcs: SoundMAX Agent Service (default)
1904 svchost.exe Svcs: stisvc
1928 Tmntsrv.exe Svcs: Tmntsrv
2004 WFXSVC.EXE Svcs: wfxsvc
128 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem
432 PCCPFW.exe Svcs: PCCPFW
468 SMax4PNP.exe Title: SMax4PNP
476 SMax4.exe Title: SoundMax4
496 pccguide.exe Title: PC-cillin Online Registration
504 PCCClient.exe Title: Update...
516 Pop3trap.exe Title: Virus Detected!
684 winampa.exe Title:
956 realsched.exe Title: Notification Wnd for RNAdmin
340 ctfmon.exe Title:
1352 rundll32.exe Title: MediaCenter
1384 Popupkiller.exe Title:
1576 alarm.exe Title:
1608 mapiicon.exe Title: ADSL A2 ICON
1700 WFXCTL32.EXE Title:
2616 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2648 ntvdm.exe
2688 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{60C5505D-6DC0-496E-BFD5-A3E21CF534FC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
@="XMLMimeFilter MIME Filter Sample"
"CLSID"="{60C5505D-6DC0-496E-BFD5-A3E21CF534FC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access NEW\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access NEW\Owner



»»Group/user settings:


User: [NEW\Owner], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group NEW\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
NEW\Owner:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\winblj.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
NEW\Owner:F
BUILTIN\Users:R


»»Contents of file(s) in 'junk' folder:
winblj.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

efee2cb3b342a351518023569637f8e6 winblj.dll

21504 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junkxxx\winblj.dll>

CRC-32 : 2258F59E

GOST-Hash : F42E093C 80C70BC8 75790792 68F0F8E9 9F75A28A 27BDA35B

A9360001 B8345422

HAVAL-5-256 : 9F6DE729 B2A810CC DC13EB20 F4A1C014 F60F9CDD A805DE43

BCD21E27 0F6E07A6

MD5 : EFEE2CB3 B342A351 51802356 9637F8E6

SHA-512 : 74B06308 B81214FF 3BDFD312 C4C80C8B 03D5A678 34ABF990

DD60FDDA 9D9C1750 B0A58E5E CFA912FE 3D9C0BFF B3C2F738

A3411993 3CE4F18F 96F0917B 6F04A053




Mon May 31 19:46:40 2004 -- ??Find-All 'Windows'.hiv .reg list:
A E:\SPYWAR~1\1-27-0~1\Find-All\winBackup.hiv
A E:\SPYWAR~1\1-27-0~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows













FOLLOWING IS THE START UP LIST :
-----------------------------------------


StartupList report, 31/05/2004, 19:50:48
StartupList version: 1.52
Started from : E:\program files\תוכנות אינטרנט\hijack this\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\WFXSVC.EXE
E:\program files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
E:\program files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
E:\program files\Chaos Software2\Chaos 6\alarm.exe
C:\WINDOWS\system32\mapiicon.exe
E:\program files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\תפריט התחלה\תוכניות\הפעלה]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה]
ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMAXPnP = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
SoundMAX = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ADSL_A2 = A2Installed
PopUpInspector.exe =
WinampAgent = E:\program files\Winamp\winampa.exe
NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
Ultimate Popup Killer = E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
Host =
alarm.exe = "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\WINDOWS\System32\mmae.dll - {0E33D2A9-EBA7-49D8-86EB-590187493C94}
(no name) - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
(no name) - E:\program files\Compass\CmpsIE.dll - {E479EDE1-923E-11D3-B82B-00E09871521B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{00000032-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...86/msnaudio.CAB

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.c...s/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[ARSign Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\arpkcom.dll
CODEBASE = https://www.join.poa...abs/arpkcom.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/s...nfo/webscan.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\AvxOScan\BITDEF~1.OCX
CODEBASE = http://www.bitdefend...bitdefender.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[LauncherV1 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\launcher.ocx
CODEBASE = http://irc.tapuz.co.il/sp/launcher.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ITeX ADSL Management and Monitor Interface: System32\DRIVERS\amgmwan.sys (autostart)
Digital Camera(E)(video): System32\DRIVERS\aox402vc.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Crypkey License: crypserv.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
3Com 3C2000x EtherLink XL Adapter: System32\DRIVERS\EL2K_XP.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CryptoIdentity 5: System32\Drivers\euci5.sys (manual start)
CryptoIdentity Reader: System32\Drivers\euci5r.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GhostStartService: E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe (autostart)
GhostPciScanner: \??\E:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys (system)
GMSIPCI: \??\D:\INSTALL\GMSIPCI.SYS (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
hardlock: \??\C:\WINDOWS\System32\drivers\hardlock.sys (autostart)
Haspnt: \??\C:\WINDOWS\System32\drivers\Haspnt.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
ITeX ADSL PCI NIC Service: System32\DRIVERS\itexwana.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
MidiSyn: system32\drivers\MidiSyn.sys (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Mtlmnt5: System32\DRIVERS\Mtlmnt5.sys (manual start)
Mtlstrm: System32\DRIVERS\Mtlstrm.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetworkX: \SystemRoot\system32\ckldrv.sys (system)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NtMtlFax: System32\DRIVERS\NtMtlFax.sys (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PC-cillin PersonalFirewall: C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe (autostart)
PC-Cillin Personal Firewall: \SystemRoot\System32\Drivers\PCC_PFW.sys (autostart)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP)‎: System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP)‎: System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Digital Camera(E)(still): System32\DRIVERS\aox402sc.sys (manual start)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SecurityToolsObj: C:\Program Files\ARL\CryptoKit\utils\SecurityToolsObj.exe (manual start)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
NetoDragon AMR_PCI Driver: System32\DRIVERS\slntamr.sys (manual start)
SlNtHal: System32\DRIVERS\Slnthal.sys (manual start)
SmartLinkService: slserv.exe (autostart)
SlWdmSup: System32\DRIVERS\SlWdmSup.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D7F8C73E-5742-4C58-8602-7A93FB490009} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tmfilter: System32\drivers\TmXPFlt.sys (autostart)
Trend NT Realtime Service: "C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe" (autostart)
Tmpreflt: System32\drivers\Tmpreflt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Digital Camera(E): System32\DRIVERS\usbhub.sys (autostart)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
v90drv: System32\DRIVERS\v90drv.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Vsapint: System32\drivers\Vsapint.sys (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WinFax PRO: C:\WINDOWS\System32\WFXSVC.EXE (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
סביבת תמיכה של ספק שירות Windows Socket 2.0 Non-IFS: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 33,740 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




hoping to "hear" from you soon

best regards .....

#19 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 02:53 AM

Finally! :cool:

I didn't look at your startup list yet, but let's
wrap up the 'AboutBlanc' first, following these steps:


Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks ;)

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker downloaded!
Run these tools again , as they should work properly now,
have them fix all problems:
*Ad-Aware6+latest updates
*CWShredder

Into your next reply just attach fresh hijackthis log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#20 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 June 2004 - 06:58 AM

freeatlast,
Just curious about a few things ...

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll

If a user is properly patched, shouldn't that entry be blank? (mine is)

»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

May be missing: Security Update for Windows Media Player (KB828026)
(should be > 9.0.0.2980)

I didn't look at your startup list yet

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.

Registry check failed!

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#21 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 08:26 AM

Thanks, WinHelp200, . but all is well ;)

Re: »»M$Java version:
Mine is the same.
It would only be Blank if was substituted by Sun Java.
As that is the latest
Msjava.dll; noted on ~90% of logs, myself included! (All boxes)

Re: »»Wmplayer version:
Not so.
Unlessd updated to WMP9, that is the correct default version.

Re: Regedit,
It exists, since we *used* it as part of the process.
I believe it's detected that way because
'samantha34f' has 'Hebrew' Windows
version: e.g:
(C:\Documents and Settings\
All Users\תפריט התחלה\תוכניות\הפעלה)

P.S:
It would be a good idea to add it to
version/size in my 'next Find-All'! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#22 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 June 2004 - 09:15 AM

freeatlast,

It would only be Blank if was substituted by Sun Java.

No Sun Jave here and mine is blank, I forget which patch removed msjava.dll.

MinorVersion: (mine reads)
SP1;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167

I believe it's detected that way because 'samantha34f' has 'Hebrew' Windows

Thanks ... good thing to remember :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#23 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 10:22 AM

No Sun Jave here and mine is blank, I forget which patch removed msjava.dll.

No patch I know of removed M$java.dll from any of my 4 boxes.
Notably second copy in the dllcache, dated same as SP4 (for 2K)
And detected that way on most (patched) logs.
Last official update for IE was: 'Q832894',
No idea if M$ 'patched' MsJava.dll on XP due to infamous 'Sun' 'deal' and start of 'migrating' process,
but w/o Sun, this IS used as default java runtime,
or else there is no java! :D

Maintenance time? :wave:


samantha34f, next:
http://www.spywarein...indpost&p=15792
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#24 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 01 June 2004 - 10:28 AM

hii

i followed all the steps from today.

did not understand what u mean by "clear all the elements
the hijacker downloaded"


following is the new hijackthis log :

Logfile of HijackThis v1.97.7
Scan saved at 18:26:54, on 01/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\WFXSVC.EXE
E:\program files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
E:\program files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
E:\program files\Chaos Software2\Chaos 6\alarm.exe
C:\WINDOWS\system32\mapiicon.exe
E:\program files\Symantec\WinFax\WFXCTL32.EXE
E:\program files\תוכנות אינטרנט\e-mule\eMule\emule.exe
C:\Program Files\ARL\CryptoKit\utils\SecurityToolsObj.exe
E:\program files\Winamp\winamp.exe
E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poa...abs/arpkcom.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

thanks !

#25 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 10:42 AM

What I meant is that you need to scan now
with dedicated removal tools to remove what
is left, after the 'hidden' file.

Here are the same steps which I've advised before:

Run these tools, have them fix all problems:
*Ad-Aware6, Download and Install:
http://www.lavasoftu...ftware/adaware/

*Recent Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181:
http://www.lavahelp....scan/index.html

Download, run and fix:
http://www.spywarein.../CWShredder.exe

Unless you do so, the items still left won't be
fully/properly removed.

When done, rescan with hijackthis, save the
log and post it.

I assume at this point the 'junkxxx' folder and it's contents are gone!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#26 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 01 June 2004 - 11:15 AM

hii

i followed all the last instructions

ad aware found 429 items.
i removed all except one
that could not be removed
c:\windows\system32\mmae.dll

here is the new hijackthis log :


Logfile of HijackThis v1.97.7
Scan saved at 19:14:42, on 01/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\WFXSVC.EXE
E:\program files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
E:\program files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
E:\program files\Chaos Software2\Chaos 6\alarm.exe
C:\WINDOWS\system32\mapiicon.exe
E:\program files\Symantec\WinFax\WFXCTL32.EXE
E:\PROGRA~1\2B5C~1\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"
O4 - HKLM\..\RunOnce: [Ad-aware] "E:\program files\תוכנות אינטרנט\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html
O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poa...abs/arpkcom.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9



the home page at the moment is a real blank page


bye

#27 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 01 June 2004 - 12:07 PM

QUESTION :

just to be sure - why did i send the
junkxxx.zip to the 2 e-mail addresses ??????

thanks

#28 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 12:12 PM

O4 - HKLM\..\RunOnce: [Ad-aware]
"E:\program files\תוכנות אינטרנט\Ad-aware 6\Ad-aware.exe" "+b1"


That means it has to run again on restart to complete the task!

Run CWShredder next, it shhould remove the file.

Failing that, restart in Safe mode and delete:
WINDOWS\System32\mmae.dll< file manually! (if found)

It's no longer on your log! :D

Fix checked these in hijackthis:
*R1 - HKCU\Software\Microsoft\
Internet Explorer\Main,Start Page_bak = about:blank
*R1 - HKCU\Software\Microsoft\
Internet Explorer\Main,HomeOldSP = about:blank


Go to IE options, reset your preferred home page!

Consider problem solved! :wave:


P.S

That email for 'junkxxx' is mine ;) nothing to worry about..
If sent, fine. otherise delete it.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#29 samantha34f

samantha34f

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 02 June 2004 - 03:47 PM

Hii

i want to thank you for your effort

computer is fine now
(not 100%)

but who's is 100% these days


T H A N K S

#30 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 June 2004 - 03:58 PM

Keep your תפריט התחלה\תוכניות\הפעלה :keybrd: out of trouble! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button