Jump to content


Photo

Recurring hijacker


  • Please log in to reply
44 replies to this topic

#1 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 27 May 2004 - 08:51 PM

I have been on the forum at Lavasoft (ad-aware) I have ad-aware plus. I have been trying for a week to get his handled. The last thing that we tried was dllfix, it hung up that is how I got here from the text pages within the program. I need some help I have read over both preventing and removal of browser hijacking. I am looking into switching over my browser to the one prescribed. I would like to know if this can be fixed first. my first problem is that windows\System32\bridge.dll specified module cannot be found comes up when starting windows xppro. I have run adaware, hijackthis. hijackthis will remove the problem in safe mode. but going into reboot running higjackthis without opening anything else brings up the bad files and will not remove them in regular mode. I have searched for iesearch.exe and searchpage.html and have not found them I searched in safe mode with hidden files selected.

I am willing to donate if this probem can be fixed.

Thanks Dan

#2 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 06:53 AM

Can you post a hijackthis log please?



#3 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 08:56 AM

Logfile of HijackThis v1.97.7
Scan saved at 8:55:27 AM, on 5/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\EXSHOW.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [AntiSpyMonitor] C:\Program Files\SpyDetector\spymonitor.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MINOLTA-QMS PagePro 1250E Printer Tools.lnk = C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
O9 - Extra button: Microsoft« JavaScript« Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I can fix this but when you rescan it comes right back. if I go into safe mode it will fix and rescan clean but when I reboot in regular mode it is back.

Thanks Dan

#4 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 09:09 AM

ok check and fix this one:

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load


Also can you post the logs.txt from the dllfix hangin up? Or provide a link you your post from the other board?



#5 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 10:44 AM

http://www.lavasofts...=0

I have fixed the 04 before and each time it comes back. it fixes only in safe mode.

This is from the other board:
program stalled on (Restoring Cleaned Appinit Value
Value Appinit_Dlls exists, overwrite(Y/N)?
The operation completed successfully)

it got as far as Restoring Cleaned Appinit Value it never got to the second line. after an hour I restarted the computer it did not go back into the program so I started it over ( says cannot write to file file already exists.)

Thanks for the help Dan

By the way if I switch to the other browser do I still have to fix these problems

#6 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 11:13 AM

Ok.. rename the folder for dllfix that you have now.. We may need some things from it later.
Please download a fresh copy as i have updated for this problem.

tools.zerosrealm.com/dllfix.exe
Please post a new findall from that one.



#7 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 11:18 AM

also download and run cwshredder from my signature. Run that in fix mode and let it fix what it finds.



#8 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 11:22 AM

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Fri 05/28/2004
11:21 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (208D:4F24) - FS:NTFS clusters:4k
Total: 10 018 357 248 [9.3G] - Free: 1 404 526 592 [1.3G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLPHC.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLPHC.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEMAX\Daniel Michaels
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEMAX\Daniel Michaels




Log file dllfix

Thanks Dan

#9 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 11:25 AM

Ok run the new dll fix with option 2 than option 2 again. Post that log back when done.



#10 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 11:37 AM

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Fri 05/28/2004
11:35 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (208D:4F24) - FS:NTFS clusters:4k
Total: 10 018 357 248 [9.3G] - Free: 1 404 420 096 [1.3G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLPHC.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLPHC.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEMAX\Daniel Michaels
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEMAX\Daniel Michaels




Program got al the way through and restarted computer but did not restart the program I started manually here is the log.

Thanks Dan

#11 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 11:44 AM

ok double click the second.bat manually.

Than post that logs.txt



#12 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 11:58 AM

Hey things are looking up!

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 1.05 052704
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 05/28/2004
11:28 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text
Windows XP Detected
Running from C:\Documents and Settings\Daniel Michaels\Desktop\dllfix
Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: C:\WINDOWS\System32\HLPHC.DLL

Md5 Check of C:\WINDOWS\System32\HLPHC.DLL

Md5 tested As D41D8CD98F00B204E9800998ECF8427E
File was found but md5 didnt match
MD5 was: D41D8CD98F00B204E9800998ECF8427E
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\System32\HLPHC.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Daniel Michaels\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

What's next Dan

#13 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:01 PM

Ok post a new findall please.



#14 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:02 PM

also check the submit.zip in the dllfix folder and let me know the size.



#15 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 12:05 PM

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Fri 05/28/2004
12:04 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (208D:4F24) - FS:NTFS clusters:4k
Total: 10 018 357 248 [9.3G] - Free: 1 404 133 376 [1.3G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLPHC.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLPHC.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEMAX\Daniel Michaels
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEMAX\Daniel Michaels




Thanks Dan

#16 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 12:07 PM

submit zip 1.05 kb

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:10 PM

hmm.. this file can you see it?
C:\WINDOWS\System32\HLPHC.DLL

if you navigate to system32.
if so whats the properties?

also in the dllfix folder is a windows1.txt
open that with notepad and paste the contents here.



#18 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:12 PM

ok one more thing..

download this
http://www.downloads...g/VX2Finder.exe

click the find vx2 button. Than click the make log button and post that here.



#19 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 12:21 PM

File from windows1.txt

I will work on the next thing

Dan

regf                                                                                       
                                                                                
                                                                                
                                                                                
                                                                        »іўЎ hbin  а   nk, 3TылD─               0 ђ      0 < yTim WindowsowsE292-1а■  sk ђ ђ  D  ё  (   Э
     !  ђ  !      #  └  #  ?          ?       $ ?    MdI.└Ж2ѓІд(в      MdI.└Ж2ѓІд(в   MdI.└Ж2ѓІд( л   vk     s DeviceNotSelectedTimeout­   1 5  п(═W Я л   vk  ђ'    GDIProcessHandleQuotaeNo­   9 0 | аЎ| Я   vk  ѕ   dlSpooler ­   y e s ! Я   vk  ђ   ceswapdisk Я ( h ў л л   vk  X   | TransmissionRetryTimeoutл   vk  ђ'   ДUSERProcessHandleQuotaЯ   Я ( h ў л  P п   vk < x   ceAppInit_DLLsЕЖЄ └   c : \ w i n d o w s \ s y s t e m 3 2 \ h l p h c . d l l H

#20 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 12:25 PM

Files Found---


Guardian Key--- is called:

User Agent String---

I don't think it found anything.

I also ran the other program CWshredder.exe and did the fixes it found 9 things.

Dan

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:27 PM

Ok probably wont find anything with vx2finder.

Ok load up regedit.

Navigate to here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

right click the windows portion and click rename.
rename it to notwindows

hit f5 to refresh regedit.
Appinit should now show a filename. Right click the appinit and select modify.
delete the value there.

than right click the notwindows and rename it back to windows.
Reboot.
See if this file is visible now:

C:\WINDOWS\System32\HLPHC.DLL

Edited by shadowwar, 28 May 2004 - 12:32 PM.




#22 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 12:33 PM

regedit loaded standing by

Dan

#23 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:35 PM

refresh i edited.



#24 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 12:46 PM

After renaming windows I right clicked Appinit_dlls on the first line Appinit came up but there was nothing in the data (second tab)

Dan

#25 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:54 PM

First can you zip and email me backup.hiv and f.hiv. They should probably be in the backup folder in the dllfix folder. Need to see why the fix isnt working on your machine.
Click here to email!

Thanks.


Ok lets do it this way. Leave the key renamed to notwindows and reboot.

Run start.bat once and exit without doing anything in it.

copy direct.txt in the dllfix folder to c:\

than double click the second.bat

Post the log when done.

Edited by shadowwar, 28 May 2004 - 12:55 PM.




#26 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 01:18 PM

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 1.05 052704
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 05/28/2004
01:15 PM

Backing up Registry Hive
Windows XP Detected
Fatal Error Directory File could not be found
This will Happen if you Run this file manually!
Its Designed to run from start.bat

#27 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 01:18 PM

sorry I forgot to rebbot

#28 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 01:22 PM

make sure you copy the direct.txt to the c:\

it needs to be in the root of c.



#29 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 01:33 PM

Windows XP Detected
Running from C:\Documents and Settings\Daniel Michaels\Desktop\dllfix
Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: C:\WINDOWS\System32\HLPHC.DLL

Md5 Check of C:\WINDOWS\System32\HLPHC.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\System32\HLPHC.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Daniel Michaels\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Dan

#30 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 01:36 PM

ughh... go back into regedit please.
Check if there is a notwindows and a windows there.



#31 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 01:40 PM

under current version there is just the notwindows

#32 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 01:47 PM

ok is the file now visible? C:\WINDOWS\System32\HLPHC.DLL

you did reboot after the rename of the value correct?



#33 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 02:00 PM

Yes I see it now

#34 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 02:06 PM

ok create a new folder on the desktop.
name it junk for now.

go back to the file.
click the hlphc.dll once
go to the top of the window and click edit/move to folder

move it to the junk folder you created.
Let me know if successful.
If its sucessfull please send me that one also.
After its sent right click the folder itself. hit properties. go to the security tap. click the advanced button. Check the box that says reset permissions on all child objects. hit apply. hit ok. You should then be able to delete the whole folder.

If you cant see the security tab than boot to safe mode and follow above.

if all of that was sucessfull please got back to regedit and rename notwindows back to Windows
check the appinit value and make sure its clean.

Post a findall from dllfix after you are all done.



#35 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 May 2004 - 02:39 PM

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Fri 05/28/2004
02:37 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (208D:4F24) - FS:NTFS clusters:4k
Total: 10 018 357 248 [9.3G] - Free: 1 403 461 632 [1.3G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEMAX\Daniel Michaels
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEMAX\Daniel Michaels




I e-mailed you the file

Thanks Dan

#36 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 06:44 PM

looks good to go. Post a hijackthis log again.



#37 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 30 May 2004 - 12:15 PM

Shadowwar, thanks for your help. I would still like to get this cleaned up here is my new log file.

I did however switch to the Opera Browser I love it I have not had a pop-up yet and the browser works great. I still cannot understand why the highjackthis program will not remove the junk in regular mode but will in Safe mode.

Thanks Dan

#38 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 30 May 2004 - 12:42 PM

the log file is not there?



#39 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 30 May 2004 - 03:36 PM

Logfile of HijackThis v1.97.7
Scan saved at 12:11:10 PM, on 5/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\EXSHOW95.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\EXSHOW.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Opera75\opera.exe
C:\Program Files\IMSI\TCWP80\Program\tcw80.exe
C:\Program Files\Lavasoft\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [AntiSpyMonitor] C:\Program Files\SpyDetector\spymonitor.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MINOLTA-QMS PagePro 1250E Printer Tools.lnk = C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Radio Free Virgin Player (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Sorry about that

#40 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 31 May 2004 - 06:30 AM

ok fix these and post a new hijackthis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)



#41 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 31 May 2004 - 10:55 AM

I fixed items, then hit scan the same items came back up. it is like they are not getting deleted. they will delete in safe mode but come right back in regular mode.

Dan

#42 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 31 May 2004 - 07:22 PM

ok fix those again. also fix this:

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

than reboot and delete:
C:\WINDOWS\System32\bridge.dll

Than run cwshredder. link to download is in my signature.
run it in fix mode.

Than post a fresh hijackthis log



#43 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 31 May 2004 - 07:50 PM

I ran hijackthis in fix and rebooted. I could not find bridge.dll I have not been able to find it any of the times I've looked for it. when starting I get error message that could not find bridge.dll module. if you look in my earlier posts you will see that I have been getting that message for some time. I ran Shredder in fix then ran hijackthis scan.

Dan

Logfile of HijackThis v1.97.7
Scan saved at 7:46:29 PM, on 5/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\EXSHOW95.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WINDOWS\System32\EXSHOW.EXE
C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Lavasoft\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [AntiSpyMonitor] C:\Program Files\SpyDetector\spymonitor.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MINOLTA-QMS PagePro 1250E Printer Tools.lnk = C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Radio Free Virgin Player (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#44 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 01 June 2004 - 07:08 AM

ok we need to see a startuplist from hijackthis. config/misc tools

check both boxes under the startuplist button.

Paste the log here.



#45 aquaman

aquaman

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 June 2004 - 08:09 AM

Logfile of HijackThis v1.97.7
Scan saved at 8:06:39 AM, on 6/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\EXSHOW95.EXE
C:\WINDOWS\System32\EXSHOW.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Lavasoft\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\offi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\offi.dll/sp.html (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [AntiSpyMonitor] C:\Program Files\SpyDetector\spymonitor.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MINOLTA-QMS PagePro 1250E Printer Tools.lnk = C:\Program Files\MINOLTA-QMS\Printer tools_NT\SP601.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Radio Free Virgin Player (HKLM)
O9 - Extra button: Microsoft« JavaScript« Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Now that I have Sun Java can I delete the 09's that have java script?

While in config. I noticed that the default search pages were set to IE-search I changed them to Goolge to see it that would help

Dan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button