• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
samantha34f

a few problems

30 posts in this topic

hii - this is my first post in this forum

 

i have the following problems (windows xp home eddition)

 

1. www.errorplace.com at least following 2 sites.

2. home page changing to : about:blank and the page is

SEARCH FOR ...

3. when i try the one particular address

http://www.passwordfactory.com/forums/

the connection (adsl) is always disconnecting

and i have to re connect.

 

 

help me - please

 

thanks in advance

Share this post


Link to post
Share on other sites
hii - this is my first post in this forum

 

i have the following problems (windows xp home eddition)

 

1. www.errorplace.com at least following 2 sites.

2. home page changing to : about:blank and the page is

                                        SEARCH FOR ...

3. when i try the one particular address 

    http://www.passwordfactory.com/forums/

    the connection (adsl) is always disconnecting

    and i have to re connect.

 

 

help me - please

 

thanks in advance

For #1+2:

 

Download, *UNzip Find-All.zip:

http://freeatlast.100free.com/Find-All.zip

 

Run -> Find-All.cmd, follow instructions and post the log!

 

For #3... Umm :ph34r: You're better off.

p04n contents, extremly XXXrated.

Share this post


Link to post
Share on other sites

following is the log :

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Thu May 27 18:25:09 2004 -- ??Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

E: "" (7745:02C9) - FS:NTFS clusters:4k

Total: 40 328 511 488 [38G] - Free: 11 687 530 496 [11G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

»»PC uptime:

6:25pm up 0 days, 3:14

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error

\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

640 smss.exe

688 csrss.exe Title:

712 winlogon.exe Title: NetDDE Agent

756 services.exe Svcs: Eventlog,PlugPlay

768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

972 svchost.exe Svcs: RpcSs

1016 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu

e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them

s,TrkWks,upl

1120 svchost.exe Svcs: Dnscache

1144 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient

1296 spoolsv.exe Svcs: Spooler

1436 alg.exe Svcs: ALG

1452 Crypserv.exe Svcs: Crypkey License

1540 GhostStartService.exeSvcs: GhostStartService

1704 nvsvc32.exe Svcs: NVSvc

1728 scardsvr.exe Svcs: SCardSvr

1760 slserv.exe Svcs: SLService

1840 SMAgent.exe Svcs: SoundMAX Agent Service (default)

1896 svchost.exe Svcs: stisvc

1920 Tmntsrv.exe Svcs: Tmntsrv

1968 WFXSVC.EXE Svcs: wfxsvc

2036 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem

2040 explorer.exe Title: Program Manager

468 PCCPFW.exe Svcs: PCCPFW

532 SMax4PNP.exe Title: SMax4PNP

544 SMax4.exe Title: SoundMax4

556 pccguide.exe Title: PC-cillin Online Registration

568 PCCClient.exe Title: Update...

576 Pop3trap.exe Title: Virus Detected!

632 winh.exe

668 xPlC2.exe Title:

820 wupdater.exe Title:

1040 winampa.exe Title:

1080 pcnrl.exe Title:

1496 realsched.exe Title: Notification Wnd for RNAdmin

1560 omniscient.exe Title:

1692 ctfmon.exe Title:

2068 rundll32.exe Title: MediaCenter

2104 Popupkiller.exe Title: MCI command handling window

2116 iexplore.exe Title: Internet Explorer

2156 alarm.exe Title:

2216 mapiicon.exe Title: ADSL A2 ICON

2232 WFXCTL32.EXE Title:

2448 emule.exe Title:

2768 wuauclt.exe Title: Auto Update Client Window

2992 SecurityToolsObj.exeSvcs: SecurityToolsObj

2960 flashget.exe Title:

3128 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3376 ntvdm.exe

2952 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]

"KeyVersion"="2.0.1"

"BHOVersion"="2.0.1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB512A7E-AE3E-46D2-97AE-EF17E8F18F26}]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

@="XMLMimeFilter MIME Filter Sample"

"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Group/user settings:

 

 

User: [NEW\Owner], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group NEW\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

NEW\Owner:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR:

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Thu May 27 18:25:14 2004 -- ??Find-All 'Windows'.hiv .reg list:

A E:\SPYWAR~1\1-27-0~1\Find-All\winBackup.hiv

A E:\SPYWAR~1\1-27-0~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Next,

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

-RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

-Locate "AppInit_DLLs" value on the right

pane, RightClick it and select 'delete'

 

-Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

-Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

-Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ WINBLJ.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

hii this is the new log

 

after restarting it seems to me that "applnit.dll" is back again.

i could not find "system32\winblj.dll

 

------------------------------------------------

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Thu May 27 21:43:11 2004 -- ??Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

E: "" (7745:02C9) - FS:NTFS clusters:4k

Total: 40 328 511 488 [38G] - Free: 11 687 452 672 [11G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

»»PC uptime:

9:43pm up 0 days, 0:09

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error

\\?\C:\WINDOWS\System32\WINBLJ.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

640 smss.exe

688 csrss.exe Title:

712 winlogon.exe Title: NetDDE Agent

756 services.exe Svcs: Eventlog,PlugPlay

768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

980 svchost.exe Svcs: RpcSs

1024 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu

e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them

s,TrkWks,upl

1128 svchost.exe Svcs: Dnscache

1152 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient

1340 spoolsv.exe Svcs: Spooler

1448 alg.exe Svcs: ALG

1628 Crypserv.exe Svcs: Crypkey License

1676 GhostStartService.exeSvcs: GhostStartService

1744 nvsvc32.exe Svcs: NVSvc

1808 scardsvr.exe Svcs: SCardSvr

1852 slserv.exe Svcs: SLService

1860 explorer.exe Title: Program Manager

1876 SMAgent.exe Svcs: SoundMAX Agent Service (default)

1928 svchost.exe Svcs: stisvc

1968 Tmntsrv.exe Svcs: Tmntsrv

2036 WFXSVC.EXE Svcs: wfxsvc

248 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem

472 PCCPFW.exe Svcs: PCCPFW

528 SMax4PNP.exe Title: SMax4PNP

536 SMax4.exe Title: SoundMax4

544 pccguide.exe Title: PC-cillin Online Registration

556 PCCClient.exe Title: Update...

568 Pop3trap.exe Title: Virus Detected!

620 winh.exe

656 xPlC2.exe Title:

676 wupdater.exe Title:

972 winampa.exe Title:

1188 pcnrl.exe Title:

1532 realsched.exe Title: Notification Wnd for RNAdmin

1552 omniscient.exe Title:

1592 ctfmon.exe Title:

1664 rundll32.exe Title: MediaCenter

1732 Popupkiller.exe Title:

1704 iexplore.exe Title: Internet Explorer

2088 alarm.exe Title:

2152 mapiicon.exe Title: ADSL A2 ICON

2180 WFXCTL32.EXE Title:

2584 wuauclt.exe Title: Auto Update Client Window

3128 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3160 ntvdm.exe

3204 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]

"KeyVersion"="2.0.1"

"BHOVersion"="2.0.1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB512A7E-AE3E-46D2-97AE-EF17E8F18F26}]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

@="XMLMimeFilter MIME Filter Sample"

"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access NEW\Owner

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access NEW\Owner

 

 

 

»»Group/user settings:

 

 

User: [NEW\Owner], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group NEW\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

NEW\Owner:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR:

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Thu May 27 21:43:14 2004 -- ??Find-All 'Windows'.hiv .reg list:

A E:\SPYWAR~1\1-27-0~1\Find-All\winBackup.hiv

A E:\SPYWAR~1\1-27-0~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Repeat the same steps here:

http://www.spywareinfoforum.com/index.php?ac...indpost&p=11318

 

It wasn't done properly.

Step 1 is to rename the 'Windows' subfolder.

Step2 is to delete the 'AppInit' value.

Step 3 is to rename windows1 back to original.

If you deleted the APpInit during the time

the Windows subfolder was renamed, it

wouldn't have come back.

Next,

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

1.-RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

2.-Locate "AppInit_DLLs" value on the right

pane, RightClick it and select 'delete'

 

3.-Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

4-Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

5-Close regedit, *restart computer!

 

6.--Navigate to System32 folder, Search

for System32\ WINBLJ.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

7.Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

hii

 

i did twice exactly what you instructed

but the "applnit_dlls" is back

and WINBLJ.DLL cannot be found

 

still waiting ..... thanks

Share this post


Link to post
Share on other sites

Try the following options:

 

Download Registrar Lite and install it.

http://www.resplendence.com/reglite

 

Run, type the key into reglite's Address bar:

(hit 'go)

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

DoubleClick on the 'AppInit_Dlls' value.

You should see this line in the data editor:

C:\WINDOWS\System32\WINBLJ.DLL

 

RightClick on the 'Windows' Subfolder on left

pane marked in purple, and rename it to 'NotWindows'.

 

DoubleClick on the 'AppInit_Dlls' again, and clear the data (value)

Delete this: C:\WINDOWS\System32\WINBLJ.DLL

Hit 'apply' and 'ok' to set!

 

Rename the 'NotWindows' back to 'Windows'.

 

Close reglite. Reopen, check whether the data returned.

If not, restart computer and check again.

As long as the data is listed there, you won't

be able to find the 'hidden' file.

 

If no luck, repeat exact same steps, but this time:

-Rename the 'Windows' Subfolder to 'NotWindows',

Clear the Data, and rename the 'AppInit_Dlls' to 'NotAppInit'.

Rename the 'NotWindows' back to 'Windows', but leave

the 'NotAppInit' renamed.

Reboot and check it again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

Ummm... What settings do you have there?

According to the system info your

main root drive is "E", yet according to

the log your %SystemDrive% is C:\...

Where is your windows installation?

Share this post


Link to post
Share on other sites

hii

 

i followed your latest steps.

 

1. following the steps - data returned.

2. following the second set of steps (renaming to notapplnit

and leaving it with this name.

and following the reboot i got a new line

"applnit..." and also the "not applnit..."

 

when i run regedit i see those two lines as well

 

3. the green arrowed icon "search" on the

task bar that appeared in the last few days

and should not be there is not present any more.

4. windows xp is in drive C: .

Share this post


Link to post
Share on other sites

following is the log file :

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Fri May 28 19:26:51 2004 -- ??Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

E: "" (7745:02C9) - FS:NTFS clusters:4k

Total: 40 328 511 488 [38G] - Free: 11 508 490 240 [11G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

»»PC uptime:

7:26pm up 0 days, 0:34

 

»»Locked or 'Suspect' file(s) found...

»»Tasks (services):

0 System Process

4 System

640 smss.exe

688 csrss.exe Title:

712 winlogon.exe Title: NetDDE Agent

756 services.exe Svcs: Eventlog,PlugPlay

768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

976 svchost.exe Svcs: RpcSs

1020 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu

e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them

s,TrkWks,upl

1124 svchost.exe Svcs: Dnscache

1148 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient

1304 spoolsv.exe Svcs: Spooler

1440 alg.exe Svcs: ALG

1456 Crypserv.exe Svcs: Crypkey License

1664 GhostStartService.exeSvcs: GhostStartService

1732 nvsvc32.exe Svcs: NVSvc

1800 scardsvr.exe Svcs: SCardSvr

1816 explorer.exe Title: Program Manager

1852 slserv.exe Svcs: SLService

1884 SMAgent.exe Svcs: SoundMAX Agent Service (default)

1920 svchost.exe Svcs: stisvc

1940 Tmntsrv.exe Svcs: Tmntsrv

1992 WFXSVC.EXE Svcs: wfxsvc

180 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem

384 PCCPFW.exe Svcs: PCCPFW

520 SMax4PNP.exe Title: SMax4PNP

528 SMax4.exe Title: SoundMax4

536 pccguide.exe Title: PC-cillin Online Registration

544 PCCClient.exe Title: Update...

552 Pop3trap.exe Title: Virus Detected!

580 winh.exe

592 xPlC2.exe Title:

628 wupdater.exe Title:

684 winampa.exe Title:

692 pcnrl.exe Title:

916 realsched.exe Title: Notification Wnd for RNAdmin

968 omniscient.exe

1068 ctfmon.exe Title:

1072 rundll32.exe Title: MediaCenter

1088 Popupkiller.exe Title:

1096 iexplore.exe Title: Internet Explorer

1184 alarm.exe Title:

1228 mapiicon.exe Title: ADSL A2 ICON

1536 WFXCTL32.EXE Title:

2540 wuauclt.exe Title: Auto Update Client Window

3928 emule.exe Title:

560 IEXPLORE.EXE Title: SWI Forums -> a few problems - Microsoft Internet Explorer

516 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

488 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2596 ntvdm.exe

2628 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"notAppInit_DLLs"=""

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}]

"KeyVersion"="2.0.1"

"BHOVersion"="2.0.1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB512A7E-AE3E-46D2-97AE-EF17E8F18F26}]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

@="XMLMimeFilter MIME Filter Sample"

"CLSID"="{185477EA-B254-4FD5-9F66-95D00AAD1A19}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access NEW\Owner

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access NEW\Owner

 

 

 

»»Group/user settings:

 

 

User: [NEW\Owner], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group NEW\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

NEW\Owner:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR:

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Fri May 28 19:26:56 2004 -- ??Find-All 'Windows'.hiv .reg list:

A E:\spywareinfo\1-27-05-04\Find-All\winBackup.hiv

A E:\spywareinfo\1-27-05-04\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Hmmm..

Im confused.

What have you done?

IS the data value visible in reglite?

 

What's on Drive "E", exactly?

Is that a bootable partition?

 

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

E: "" (7745:02C9) - FS:NTFS clusters:4k

Total: 40 328 511 488 [38G] - Free: 11 508 490 240 [11G]

 

And whats up with these?

536 pccguide.exe Title: PC-cillin Online Registration

544 PCCClient.exe Title: Update...

552 Pop3trap.exe Title: Virus Detected!

580 winh.exe

592 xPlC2.exe Title:

628 wupdater.exe Title:

 

Looks like you have other baddies to take care of, first.

And it would help if you run the Find-all

from the affected drive.

 

Can you list your drive(s) details, and download:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Run, save the results and post the log.

Share this post


Link to post
Share on other sites

the log from hijackthis :

 

Logfile of HijackThis v1.97.7

Scan saved at 23:39:33, on 28/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\WFXSVC.EXE

E:\program files\Symantec\WinFax\WFXMOD32.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

C:\WINDOWS\xPlC2.exe

C:\Program Files\Common files\updater\wupdater.exe

E:\program files\Winamp\winampa.exe

C:\WINDOWS\pcnrl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\WindowsSA\omniscient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

C:\WINDOWS\System32\iexplore.exe

E:\program files\Chaos Software2\Chaos 6\alarm.exe

C:\WINDOWS\system32\mapiicon.exe

E:\program files\Symantec\WinFax\WFXCTL32.EXE

C:\WINDOWS\System32\wuauclt.exe

E:\program files\תוכנות אינטרנט\e-mule\eMule\emule.exe

E:\program files\Compass\Compass.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\program files\Winamp\winamp.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\taboo.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll

O2 - BHO: (no name) - {FB512A7E-AE3E-46D2-97AE-EF17E8F18F26} - C:\WINDOWS\wdrz.dll

O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ADSL_A2] A2Installed

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe

O4 - HKLM\..\Run: [m2v76960] C:\WINDOWS\xPlC2.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe

O4 - HKLM\..\Run: [fwed] C:\WINDOWS\pcnrl.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [DesktopProf] c:\windows\pulpit.exe ukrt

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe

O4 - HKCU\..\Run: [internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe

O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe

O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html

O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm

O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm

O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbarAff.CAB

O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poalim.co.il/reg/pk/cabs/arpkcom.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875505/files/installer.cab

O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/Live...ice_4_EN_XP.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://www.traffichog.com/toolbar2/winalot32.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab

O16 - DPF: {AD684060-16D6-40C3-AF27-53956783430D} - http://www.xpehbam.biz/exploit.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EC...034_pack_XP.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

 

------------------------------------------------------------------------------

 

a few answers :

 

the data is visible in reg lite for "applnit_dlls"

not visible for "not applnit..."

 

when i baught the computer it had 120 gb hard drive.

 

in the shop they divided it to 3 paritions .

when i open "my computer"

each partition C E & F is "local disk flie system NTFS"

 

the bootable and windows is the C.

 

items 536 544 552 are in the pc cillin 2002 anti virus program

628 is updater application in c:\program files\common files\updater

about 580 is is an application in c:\windows

 

 

 

THIS IS ALL FOR THE MOMENT

Share this post


Link to post
Share on other sites

Kewl!

 

I see you have Hebrew Lang Support... ;)Shal0m

 

You have quite a few viral elements there.

Let's try and kill them all first, and leave the 'hidden' problem for last.

 

In hijackthis fix checked:

 

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {FB512A7E-AE3E-46D2-97AE-EF17E8F18F26} - C:\WINDOWS\wdrz.dll

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe

O4 - HKLM\..\Run: [m2v76960] C:\WINDOWS\xPlC2.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [fwed] C:\WINDOWS\pcnrl.exe

O4 - HKLM\..\Run: [internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [DesktopProf] c:\windows\pulpit.exe ukrt

O4 - HKCU\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe

O4 - HKCU\..\Run: [internet Explorer Website Manager] C:\WINDOWS\SYSTEM32\iexplore32w.exe

O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbarAff.CAB

O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875505/files/installer.cab

O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/Live...ice_4_EN_XP.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://www.traffichog.com/toolbar2/winalot32.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab

O16 - DPF: {AD684060-16D6-40C3-AF27-53956783430D} - http://www.xpehbam.biz/exploit.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EC...034_pack_XP.cab

 

Restart in Safe Mode after fixing these , re-run hijackthis

again, and be sure all pointed lines are gone.

 

Find and delete:

C:\Windows\System32\wsaupdater.exe,

iexplore.exe, iexplore32w.exe

slserv.exe files

(*Don't confuse with Explorer in windows

and iExplore in program files which are

naturally legit, your imposters in System32 are all *viral!)

C:\WINDOWS\winh.exe, xPlC2.exe, pcnrl.exe, alchem.exe files

C:\Program Files\Common files\updater folder

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\taboo.exe

 

That's in a quick surface scan.

I'm not sure I got everything.

 

When done, run all these online

AV scanners, allow them to clean:

 

Computer Associates eTrust Antivirus Web Scanner

 

Panda ActiveScan - Free online scanner

 

BitDefender Scan Online

 

And Download and run: McAfee AVERT Stinger

 

When you have done all that, visit:

http://windowsupdate.microsoft.com

Scan and apply any and all security patches on offer.

 

Run these tools, have them fix all problems:

*Ad-Aware6:

http://www.lavasoftusa.com/software/adaware/

 

*Updates:

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

 

*http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

These won't completely cure the 'AboutBlank' issue, but yet

that is the least of your problems.

 

When done, repost fresh hijackthis log.

Edited by freeatlast

Share this post


Link to post
Share on other sites

hii

 

i did all the steps

 

a lot of work

 

you seem to be an expert !

 

----------------------------------------------------

following id hijackthis log :

 

Logfile of HijackThis v1.97.7

Scan saved at 22:23:56, on 29/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\WFXSVC.EXE

E:\program files\Symantec\WinFax\WFXMOD32.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

E:\program files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\WindowsSA\omniscient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

E:\program files\Chaos Software2\Chaos 6\alarm.exe

C:\WINDOWS\system32\mapiicon.exe

E:\program files\Symantec\WinFax\WFXCTL32.EXE

E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll

O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ADSL_A2] A2Installed

O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe

O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html

O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm

O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm

O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poalim.co.il/reg/pk/cabs/arpkcom.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

Share this post


Link to post
Share on other sites

Well done!

 

We're still left with the other problem.

 

Try repeating the same steps as before to rename

the 'Windows' folder and delete the data.

After renaming the 'Windows' Subfolder, leave the

registry open and wait for about 10~20 seconds.

Delete both 'AppInit_Dlls' values.

Wait few seconds and rename Windows1 back to Windows.

As was pointed here:

http://www.spywareinfoforum.com/index.php?ac...indpost&p=11945

 

P.S

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

 

Stands for some dodgy search assistant on the task bar.

You should be able to find uninstaller in Add/remove.

Uninstall and delete the folder (if left) from program files.

 

And find and delete this cr@p:

c:\windows\pulpit.exe if still there. (left off your previous post)

Edited by freeatlast

Share this post


Link to post
Share on other sites

hii again !

 

1. u tried twice to delete "applinit..."

but following the restart of the computer

this utem is back again.

 

2. i deleted the folder \windowsSA

could not find this program at the add/remove.

 

3. i deleted pulpit.exe

 

4. on the task bar there is a button : "search"

with a place to type the item i want to search

this button is for "blaze find,google,yahoo or msn"

 

following is the present hijackthis log :

 

Logfile of HijackThis v1.97.7

Scan saved at 19:43:45, on 30/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\WFXSVC.EXE

E:\program files\Symantec\WinFax\WFXMOD32.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

E:\program files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

E:\program files\Chaos Software2\Chaos 6\alarm.exe

C:\WINDOWS\system32\mapiicon.exe

E:\program files\Symantec\WinFax\WFXCTL32.EXE

E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll

O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ADSL_A2] A2Installed

O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe

O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html

O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm

O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm

O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poalim.co.il/reg/pk/cabs/arpkcom.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

 

 

 

that's all for the moment

thanks

Share this post


Link to post
Share on other sites

***Edited for new steps:***

 

*In reglite or regedit open the 'Windows' key.

(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)

 

*RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

**Restart computer!!!

(That key won't be loaded)

 

*Find:

C:\WINDOWS\System32\*WINBLJ.DLL

as it should be visible, and

use the folder's top menu

option : "Edit-> Move to folder..."

*Browse to and select: C:\junkxxx folder

'ok' it.

 

In regedit/reglite-

*Rename the Windows1 back to it's

original name, Windows.

 

*RightClick on Any 'AppInit.../'notAppInit' Values(only!) left on the

right pane and delete.

 

*Re-run 'Find-All.cmd and post the log.

 

 

And do this as well:

In hijackthis>config>misc tools

*generate startup list and post it.

(Check the other extra check boxes as well)

Edited by freeatlast

Share this post


Link to post
Share on other sites

hii

 

here is the "find all" output file :

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Mon May 31 19:46:38 2004 -- ??Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

E: "" (7745:02C9) - FS:NTFS clusters:4k

Total: 40 328 511 488 [38G] - Free: 11 401 306 112 [11G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

»»PC uptime:

7:46pm up 0 days, 0:04

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

4 System

640 smss.exe

688 csrss.exe Title:

712 winlogon.exe Title: NetDDE Agent

756 services.exe Svcs: Eventlog,PlugPlay

768 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

964 svchost.exe Svcs: RpcSs

1012 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Schedu

e,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Them

s,TrkWks,upl

1116 svchost.exe Svcs: Dnscache

1140 svchost.exe Svcs: LmHosts,SSDPSRV,upnphost,WebClient

1272 spoolsv.exe Svcs: Spooler

1436 alg.exe Svcs: ALG

1452 Crypserv.exe Svcs: Crypkey License

1492 GhostStartService.exeSvcs: GhostStartService

1656 explorer.exe Title: Program Manager

1724 nvsvc32.exe Svcs: NVSvc

1772 scardsvr.exe Svcs: SCardSvr

1852 SMAgent.exe Svcs: SoundMAX Agent Service (default)

1904 svchost.exe Svcs: stisvc

1928 Tmntsrv.exe Svcs: Tmntsrv

2004 WFXSVC.EXE Svcs: wfxsvc

128 WFXMOD32.EXE Title: WinFax MOD - NetoDragon 56K Voice Modem

432 PCCPFW.exe Svcs: PCCPFW

468 SMax4PNP.exe Title: SMax4PNP

476 SMax4.exe Title: SoundMax4

496 pccguide.exe Title: PC-cillin Online Registration

504 PCCClient.exe Title: Update...

516 Pop3trap.exe Title: Virus Detected!

684 winampa.exe Title:

956 realsched.exe Title: Notification Wnd for RNAdmin

340 ctfmon.exe Title:

1352 rundll32.exe Title: MediaCenter

1384 Popupkiller.exe Title:

1576 alarm.exe Title:

1608 mapiicon.exe Title: ADSL A2 ICON

1700 WFXCTL32.EXE Title:

2616 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2648 ntvdm.exe

2688 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E33D2A9-EBA7-49D8-86EB-590187493C94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E479EDE1-923E-11D3-B82B-00E09871521B}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{60C5505D-6DC0-496E-BFD5-A3E21CF534FC}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

@="XMLMimeFilter MIME Filter Sample"

"CLSID"="{60C5505D-6DC0-496E-BFD5-A3E21CF534FC}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access NEW\Owner

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access NEW\Owner

 

 

 

»»Group/user settings:

 

 

User: [NEW\Owner], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group NEW\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

NEW\Owner:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

C:\junkxxx\winblj.dll BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

NEW\Owner:F

BUILTIN\Users:R

 

 

»»Contents of file(s) in 'junk' folder:

winblj.dll

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

efee2cb3b342a351518023569637f8e6 winblj.dll

 

21504 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

File: <C:\junkxxx\winblj.dll>

 

CRC-32 : 2258F59E

 

GOST-Hash : F42E093C 80C70BC8 75790792 68F0F8E9 9F75A28A 27BDA35B

 

A9360001 B8345422

 

HAVAL-5-256 : 9F6DE729 B2A810CC DC13EB20 F4A1C014 F60F9CDD A805DE43

 

BCD21E27 0F6E07A6

 

MD5 : EFEE2CB3 B342A351 51802356 9637F8E6

 

SHA-512 : 74B06308 B81214FF 3BDFD312 C4C80C8B 03D5A678 34ABF990

 

DD60FDDA 9D9C1750 B0A58E5E CFA912FE 3D9C0BFF B3C2F738

 

A3411993 3CE4F18F 96F0917B 6F04A053

 

 

 

 

Mon May 31 19:46:40 2004 -- ??Find-All 'Windows'.hiv .reg list:

A E:\SPYWAR~1\1-27-0~1\Find-All\winBackup.hiv

A E:\SPYWAR~1\1-27-0~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

 

 

 

 

 

 

 

 

 

 

 

FOLLOWING IS THE START UP LIST :

-----------------------------------------

 

 

StartupList report, 31/05/2004, 19:50:48

StartupList version: 1.52

Started from : E:\program files\תוכנות אינטרנט\hijack this\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\WFXSVC.EXE

E:\program files\Symantec\WinFax\WFXMOD32.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

E:\program files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

E:\program files\Chaos Software2\Chaos 6\alarm.exe

C:\WINDOWS\system32\mapiicon.exe

E:\program files\Symantec\WinFax\WFXCTL32.EXE

C:\Program Files\Internet Explorer\iexplore.exe

E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

C:\WINDOWS\System32\notepad.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Owner\תפריט התחלה\תוכניות\הפעלה]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה]

ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe

Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SoundMAXPnP = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

SoundMAX = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

ADSL_A2 = A2Installed

PopUpInspector.exe =

WinampAgent = E:\program files\Winamp\winampa.exe

NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

Ultimate Popup Killer = E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

Host =

alarm.exe = "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

 

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

 

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]

StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=

run=

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Regedit.exe has no CompanyName property! It is either missing or named something else.

- Regedit.exe has no OriginalFilename property! It is either missing or named something else.

- Regedit.exe has no FileDescription property! It is either missing or named something else.

 

Registry check failed!

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}

(no name) - C:\WINDOWS\System32\mmae.dll - {0E33D2A9-EBA7-49D8-86EB-590187493C94}

(no name) - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}

(no name) - E:\program files\Compass\CmpsIE.dll - {E479EDE1-923E-11D3-B82B-00E09871521B}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

*No jobs found*

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab

OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[{00000032-0000-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/msnaudio.CAB

 

[YInstStarter Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll

CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

 

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

 

[{33564D57-9980-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

 

[ARSign Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\arpkcom.dll

CODEBASE = https://www.join.poalim.co.il/reg/pk/cabs/arpkcom.cab

 

[WScanCtl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll

CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

 

[AvxScanOnline Control]

InProcServer32 = C:\WINDOWS\AvxOScan\BITDEF~1.OCX

CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll

CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[LauncherV1 Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\launcher.ocx

CODEBASE = http://irc.tapuz.co.il/sp/launcher.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

Protocol #16: C:\WINDOWS\system32\mswsock.dll

Protocol #17: C:\WINDOWS\system32\mswsock.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

aeaudio: system32\drivers\aeaudio.sys (manual start)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)

ITeX ADSL Management and Monitor Interface: System32\DRIVERS\amgmwan.sys (autostart)

Digital Camera(E)(video): System32\DRIVERS\aox402vc.sys (manual start)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)

CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Crypkey License: crypserv.exe (autostart)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Disk Driver: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

dmio: System32\drivers\dmio.sys (disabled)

dmload: System32\drivers\dmload.sys (disabled)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

3Com 3C2000x EtherLink XL Adapter: System32\DRIVERS\EL2K_XP.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

CryptoIdentity 5: System32\Drivers\euci5.sys (manual start)

CryptoIdentity Reader: System32\Drivers\euci5r.sys (manual start)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)

Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)

Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)

GhostStartService: E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe (autostart)

GhostPciScanner: \??\E:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys (system)

GMSIPCI: \??\D:\INSTALL\GMSIPCI.SYS (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

hardlock: \??\C:\WINDOWS\System32\drivers\hardlock.sys (autostart)

Haspnt: \??\C:\WINDOWS\System32\drivers\Haspnt.sys (autostart)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)

CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)

IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (system)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)

ITeX ADSL PCI NIC Service: System32\DRIVERS\itexwana.sys (manual start)

Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

MidiSyn: system32\drivers\MidiSyn.sys (manual start)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)

Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)

Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)

WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)

Mtlmnt5: System32\DRIVERS\Mtlmnt5.sys (manual start)

Mtlstrm: System32\DRIVERS\Mtlstrm.sys (manual start)

NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)

Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NetworkX: \SystemRoot\system32\ckldrv.sys (system)

Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

NtMtlFax: System32\DRIVERS\NtMtlFax.sys (manual start)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

Parallel port driver: System32\DRIVERS\parport.sys (manual start)

PC-cillin PersonalFirewall: C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe (autostart)

PC-Cillin Personal Firewall: \SystemRoot\System32\Drivers\PCC_PFW.sys (autostart)

PCI Bus Driver: System32\DRIVERS\pci.sys (system)

PCIIde: System32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP)‎: System32\DRIVERS\raspptp.sys (manual start)

Processor Driver: System32\DRIVERS\processr.sys (system)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)

PxHelp20: System32\DRIVERS\PxHelp20.sys (system)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP)‎: System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: System32\DRIVERS\raspti.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (autostart)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Digital Camera(E)(still): System32\DRIVERS\aox402sc.sys (manual start)

Secdrv: System32\DRIVERS\secdrv.sys (manual start)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

SecurityToolsObj: C:\Program Files\ARL\CryptoKit\utils\SecurityToolsObj.exe (manual start)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)

Serial port driver: System32\DRIVERS\serial.sys (system)

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)

NetoDragon AMR_PCI Driver: System32\DRIVERS\slntamr.sys (manual start)

SlNtHal: System32\DRIVERS\Slnthal.sys (manual start)

SmartLinkService: slserv.exe (autostart)

SlWdmSup: System32\DRIVERS\SlWdmSup.sys (manual start)

smwdm: system32\drivers\smwdm.sys (manual start)

SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

System Restore Filter Driver: System32\DRIVERS\sr.sys (system)

System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Srv: System32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)

BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)

Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D7F8C73E-5742-4C58-8602-7A93FB490009} (manual start)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Terminal Device Driver: System32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Tmfilter: System32\drivers\TmXPFlt.sys (autostart)

Trend NT Realtime Service: "C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe" (autostart)

Tmpreflt: System32\drivers\Tmpreflt.sys (autostart)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Microcode Update Driver: System32\DRIVERS\update.sys (manual start)

Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)

Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)

Digital Camera(E): System32\DRIVERS\usbhub.sys (autostart)

Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)

v90drv: System32\DRIVERS\v90drv.sys (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Vsapint: System32\drivers\Vsapint.sys (autostart)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

WinFax PRO: C:\WINDOWS\System32\WFXSVC.EXE (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)

סביבת תמיכה של ספק שירות Windows Socket 2.0 Non-IFS: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)

World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)

Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 33,740 bytes

Report generated in 0.125 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

 

 

 

hoping to "hear" from you soon

 

best regards .....

Share this post


Link to post
Share on other sites

Finally! :cool:

 

I didn't look at your startup list yet, but let's

wrap up the 'AboutBlanc' first, following these steps:

 

 

Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junkxxx\*.dll moved file

*Create zipped copy in the same folder: "junkxxx.zip"

*Open your email client with given addresses for submission!

 

--Drag the 'junkxxx.zip' and submit the

attachment to the specified addresses, ! , thanks ;)

 

When done, Delete the "junkxxx.zip"

as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, you need to clear all the elements the hijacker downloaded!

Run these tools again , as they should work properly now,

have them fix all problems:

*Ad-Aware6+latest updates

*CWShredder

 

Into your next reply just attach fresh hijackthis log.

Share this post


Link to post
Share on other sites

freeatlast,

Just curious about a few things ...

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

If a user is properly patched, shouldn't that entry be blank? (mine is)

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

May be missing: Security Update for Windows Media Player (KB828026)

(should be > 9.0.0.2980)

 

I didn't look at your startup list yet

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.

Registry check failed!

Share this post


Link to post
Share on other sites

Thanks, WinHelp200, . but all is well ;)

 

Re: »»M$Java version:

Mine is the same.

It would only be Blank if was substituted by Sun Java.

As that is the latest

Msjava.dll; noted on ~90% of logs, myself included! (All boxes)

 

Re: »»Wmplayer version:

Not so.

Unlessd updated to WMP9, that is the correct default version.

 

Re: Regedit,

It exists, since we *used* it as part of the process.

I believe it's detected that way because

'samantha34f' has 'Hebrew' Windows

version: e.g:

(C:\Documents and Settings\

All Users\תפריט התחלה\תוכניות\הפעלה)

 

P.S:

It would be a good idea to add it to

version/size in my 'next Find-All'! :D

Share this post


Link to post
Share on other sites

freeatlast,

It would only be Blank if was substituted by Sun Java.

No Sun Jave here and mine is blank, I forget which patch removed msjava.dll.

 

MinorVersion: (mine reads)

SP1;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167

 

I believe it's detected that way because 'samantha34f' has 'Hebrew' Windows

Thanks ... good thing to remember :wave:

Share this post


Link to post
Share on other sites
No Sun Jave here and mine is blank, I forget which patch removed msjava.dll.

No patch I know of removed M$java.dll from any of my 4 boxes.

Notably second copy in the dllcache, dated same as SP4 (for 2K)

And detected that way on most (patched) logs.

Last official update for IE was: 'Q832894',

No idea if M$ 'patched' MsJava.dll on XP due to infamous 'Sun' 'deal' and start of 'migrating' process,

but w/o Sun, this IS used as default java runtime,

or else there is no java! :D

 

Maintenance time? :wave:

 

 

samantha34f, next:

http://www.spywareinfoforum.com/index.php?ac...indpost&p=15792

Share this post


Link to post
Share on other sites

hii

 

i followed all the steps from today.

 

did not understand what u mean by "clear all the elements

the hijacker downloaded"

 

 

following is the new hijackthis log :

 

Logfile of HijackThis v1.97.7

Scan saved at 18:26:54, on 01/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\WFXSVC.EXE

E:\program files\Symantec\WinFax\WFXMOD32.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

E:\program files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

E:\program files\Chaos Software2\Chaos 6\alarm.exe

C:\WINDOWS\system32\mapiicon.exe

E:\program files\Symantec\WinFax\WFXCTL32.EXE

E:\program files\תוכנות אינטרנט\e-mule\eMule\emule.exe

C:\Program Files\ARL\CryptoKit\utils\SecurityToolsObj.exe

E:\program files\Winamp\winamp.exe

E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mmae.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {0E33D2A9-EBA7-49D8-86EB-590187493C94} - C:\WINDOWS\System32\mmae.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll

O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ADSL_A2] A2Installed

O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe

O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html

O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm

O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm

O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poalim.co.il/reg/pk/cabs/arpkcom.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

 

thanks !

Share this post


Link to post
Share on other sites

What I meant is that you need to scan now

with dedicated removal tools to remove what

is left, after the 'hidden' file.

 

Here are the same steps which I've advised before:

 

Run these tools, have them fix all problems:

*Ad-Aware6, Download and Install:

http://www.lavasoftusa.com/software/adaware/

 

*Recent Updates:

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181:

http://www.lavahelp.com/howto/fullscan/index.html

 

Download, run and fix:

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Unless you do so, the items still left won't be

fully/properly removed.

 

When done, rescan with hijackthis, save the

log and post it.

 

I assume at this point the 'junkxxx' folder and it's contents are gone!

Share this post


Link to post
Share on other sites

hii

 

i followed all the last instructions

 

ad aware found 429 items.

i removed all except one

that could not be removed

c:\windows\system32\mmae.dll

 

here is the new hijackthis log :

 

 

Logfile of HijackThis v1.97.7

Scan saved at 19:14:42, on 01/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\WFXSVC.EXE

E:\program files\Symantec\WinFax\WFXMOD32.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

E:\program files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

E:\program files\Chaos Software2\Chaos 6\alarm.exe

C:\WINDOWS\system32\mapiicon.exe

E:\program files\Symantec\WinFax\WFXCTL32.EXE

E:\PROGRA~1\2B5C~1\FlashGet\flashget.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\program files\תוכנות אינטרנט\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\2B5C~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\program files\Compass\CmpsIE.dll

O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\2B5C~1\FlashGet\fgiebar.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ADSL_A2] A2Installed

O4 - HKLM\..\Run: [WinampAgent] E:\program files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ultimate Popup Killer] E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.exe

O4 - HKCU\..\Run: [alarm.exe] "E:\program files\Chaos Software2\Chaos 6\alarm.exe"

O4 - HKLM\..\RunOnce: [Ad-aware] "E:\program files\תוכנות אינטרנט\Ad-aware 6\Ad-aware.exe" "+b1"

O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe

O4 - Global Startup: Controller.LNK = E:\program files\Symantec\WinFax\WFXCTL32.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

O8 - Extra context menu item: Allow popups - file://E:\program files\תוכנות אינטרנט\Ultimate Popup Killer\Popupkiller.html

O8 - Extra context menu item: Stop popups from this web page - E:\program files\תוכנות אינטרנט\popup killer\denysite.htm

O8 - Extra context menu item: הורד באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_link.htm

O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - E:\PROGRA~1\2B5C~1\FlashGet\jc_all.htm

O9 - Extra button: FlashGet (HKLM)

O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} (ARSign Class) - https://www.join.poalim.co.il/reg/pk/cabs/arpkcom.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BACF397-9623-4F68-A6FB-4AE50872D9F0}: NameServer = 192.116.202.222 192.116.192.9

 

 

 

the home page at the moment is a real blank page

 

 

bye

Share this post


Link to post
Share on other sites
O4 - HKLM\..\RunOnce: [Ad-aware]

"E:\program files\תוכנות אינטרנט\Ad-aware 6\Ad-aware.exe" "+b1"

 

That means it has to run again on restart to complete the task!

 

Run CWShredder next, it shhould remove the file.

 

Failing that, restart in Safe mode and delete:

WINDOWS\System32\mmae.dll< file manually! (if found)

 

It's no longer on your log! :D

 

Fix checked these in hijackthis:

*R1 - HKCU\Software\Microsoft\

Internet Explorer\Main,Start Page_bak = about:blank

*R1 - HKCU\Software\Microsoft\

Internet Explorer\Main,HomeOldSP = about:blank

 

 

Go to IE options, reset your preferred home page!

 

Consider problem solved! :wave:

 

 

P.S

 

That email for 'junkxxx' is mine ;) nothing to worry about..

If sent, fine. otherise delete it.

Share this post


Link to post
Share on other sites

Hii

 

i want to thank you for your effort

 

computer is fine now

(not 100%)

 

but who's is 100% these days

 

 

T H A N K S

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0