Jump to content


Photo

browser hijacked - about:blank


  • Please log in to reply
27 replies to this topic

#1 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 05:07 AM

please help as i am not totally confident with all this... i read the topic someone had posted previously in this section and followed some of the instructions but decided to post this log before i did anything else as i wasnt sure what works for one computer would work for another. i thought i should open my own topic on the matter as i read somewhere its better to do that than to post your log into another persons topic... heres the log from find-all

--==***@@@ 'FIND-ALL' VERSION 8.5 -5/29 @@@***==--


Sun May 30 11:02:17 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (78C2:5886) - FS:NTFS clusters:4k
Total: 10 248 663 040 [10G] - Free: 1 851 105 280 [1.7G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"BTopenworld"="IEAKBTopenworld"


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe


»»PC uptime:
11:02am up 0 days, 0:59

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
376 smss.exe
452 csrss.exe Title:
476 winlogon.exe Title: NetDDE Agent
524 services.exe Svcs: Eventlog,PlugPlay
536 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
708 svchost.exe Svcs: RpcSs
736 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,helpsvc,lanmanserver,l
nmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclogon,SENS,SharedAccess,
hellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,wi
mgmt,wuauser
844 svchost.exe Svcs: Dnscache
856 svchost.exe Svcs: LmHosts,RemoteRegistry,WebClient
1076 explorer.exe Title: Program Manager
1208 alg.exe Svcs: ALG
1260 NAVAPSVC.EXE Svcs: navapsvc
1504 svchost.exe Svcs: stisvc
1952 dragdiag.exe Title:
1960 NAVAPW32.EXE Title: Norton AntiVirus
1988 qttask.exe Title: 7c8
1996 rundll32.exe Title: MediaCenter
2016 msmsgs.exe Title:
768 devldr32.exe Title: DEVLDR
992 wuauclt.exe Title: Auto Update Client Window
1380 msnmsgr.exe Title: MSN Messenger
240 getright.exe Title:
208 iexplore.exe Title: SWI Forums -> Browser Hijacked to About:blank - Microsoft Internet Explorer provided by BTopenworld
1876 SpybotSD.exe Title: Spybot - Search & Destroy
1804 regedit.exe Title: Registry Editor
816 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1900 ntvdm.exe
1644 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{248EDF3C-4BEE-4556-8156-90BCF59D89A8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{929BE376-B1FA-4E0A-B2E8-814909EA672D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{929BE376-B1FA-4E0A-B2E8-814909EA672D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEM\Administrator
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEM\Administrator




Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Group/user settings:


User: [SYSTEM\Administrator], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SYSTEM\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
SYSTEM\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Sun May 30 11:02:27 2004 -- ++Find-All backups created:
A C:\DOCUME~1\ADMINI~1\Desktop\FINDAL~1\winBackup.hiv
A C:\DOCUME~1\ADMINI~1\Desktop\FINDAL~1\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 05:25 AM

I see you did your homework as per the other thread. :D

Incidentally, I just found out you may have this virus:
http://uk.trendmicro...e=TROJ_SMALL.PB

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"


Can you download hijackthis, save and post the log first?
If there are multiple, various infections the
removal of cws first isn't always succesful.

http://www.spywarein.../HijackThis.exe
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 06:20 AM

i had a suspision that i had a virus as it goes, i cant understand why norton had not delt with it and when i tried to do a scan with housecall as a sort of double messure it wouldnt allow me to as the browser kept closing... any way thanks for pointing it out to me... right i will download hijack-this and post my log as stated... by the way cheers for finding the time to help me, i really do appreciate it.

Edited by spengle, 30 May 2004 - 06:28 AM.


#4 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 06:24 AM

here is the log from hijack this...

Logfile of HijackThis v1.97.7
Scan saved at 12:22:53, on 30/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lbfi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lbfi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lbfi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lbfi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lbfi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lbfi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {248EDF3C-4BEE-4556-8156-90BCF59D89A8} - C:\WINDOWS\System32\lbfi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....118/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojansca...an/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicd...ddm_control.CAB
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7853.5909837963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12118/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C98AB97C-DA24-447C-AC9B-D56322AECC72}: NameServer = 194.74.65.86 194.72.9.44

should i tackle the virus before i attempt to get rid of the browser hijacker?

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 06:46 AM

I don't see any signs on your current log.

In hijackthis, fix checked this pest:
*O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicd...ddm_control.CAB


And continue with the fix:

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ HLP.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

Re-run 'Find-All.cmd' and post new log!

As for the virus, Download this registry search tool:
http://freeatlast.10...com/Regsrch.zip
Unzip, run the RegSrch.vbs file and copy and paste:
{F5B7D0BE-5f02-4211-96DB-386DFA244900}
As the string to search.
It will run for a while and generate report. copy and post it here as well!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 10:30 AM

right im very confident ive followed your almost idiot proof instructions... (well i managed tounderstand them) =] so heres the log

--==***@@@ 'FIND-ALL' VERSION 8.5 -5/29 @@@***==--


Sun May 30 16:27:41 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (78C2:5886) - FS:NTFS clusters:4k
Total: 10 248 663 040 [10G] - Free: 1 885 102 080 [1.8G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"BTopenworld"="IEAKBTopenworld"


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe


»»PC uptime:
4:27pm up 0 days, 0:27

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junkxxx\HLP.DLL


»»Tasks (services):
0 System Process
4 System
376 smss.exe
452 csrss.exe Title:
476 winlogon.exe Title: NetDDE Agent
520 services.exe Svcs: Eventlog,PlugPlay
532 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
692 svchost.exe Svcs: RpcSs
716 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,helpsvc,lanmanserver,l
nmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclogon,SENS,SharedAccess,
hellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,wi
mgmt,wuauser
780 svchost.exe Svcs: Dnscache
836 svchost.exe Svcs: LmHosts,RemoteRegistry,WebClient
996 alg.exe Svcs: ALG
1036 NAVAPSVC.EXE Svcs: navapsvc
1184 svchost.exe Svcs: stisvc
1764 explorer.exe Title: Program Manager
1892 dragdiag.exe Title:
1912 NAVAPW32.EXE Title: Norton AntiVirus
2008 rundll32.exe Title: MediaCenter
2028 msmsgs.exe Title:
236 devldr32.exe Title: DEVLDR
396 wuauclt.exe Title: Auto Update Client Window
456 iexplore.exe Title: SWI Forums -> browser hijacked - about:blank - Microsoft Internet Explorer provided by BTopenworld
1204 getright.exe Title:
1064 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1988 ntvdm.exe
604 GetDiz.exe Title: GetDiz
1624 mspaint.exe Title: untitled - Paint
1744 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{248EDF3C-4BEE-4556-8156-90BCF59D89A8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{929BE376-B1FA-4E0A-B2E8-814909EA672D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{929BE376-B1FA-4E0A-B2E8-814909EA672D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEM\Administrator
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEM\Administrator




Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Group/user settings:


User: [SYSTEM\Administrator], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SYSTEM\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
SYSTEM\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\hlp.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
SYSTEM\Administrator:F
BUILTIN\Users:R


»»Contents of file(s) in 'junkxxx' folder:
hlp.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 hlp.dll

57344 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junkxxx\hlp.dll>

CRC-32 : D5C9FB2E

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9




Sun May 30 16:27:45 2004 -- ++Find-All backups created:
A C:\DOCUME~1\ADMINI~1\Desktop\NEWFOL~1\winBackup.hiv
A C:\DOCUME~1\ADMINI~1\Desktop\NEWFOL~1\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



Edited by spengle, 30 May 2004 - 10:33 AM.


#7 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 10:36 AM

now to get that virus... <_< wheres my gun!

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 10:52 AM

Perfect!
We can wrap up the hijacker following these steps:

;) Well done!

Lastly,

Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresseses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks ;)

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker downloaded!
Run these tools, have them fix all problems:
*Ad-Aware6:
http://www.lavasoftu...ftware/adaware/

*Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

*http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck ;)

P.S: Follow my earlier post for the steps to identify the virus.
It may just be an unknown remnant, post the log and
we'll take of that, next!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 12:28 PM

right, i havent attempted the virus yet, i continued with the browser hijacker... i had ad-aware 6 build 181 on my computer which i had previously downloaded earlier from www.download.com. CAN YOU BELIEVE? i installed it and configured it to preform a full scan, as it was scanning norton recognised a trojan (but i guess that saves me right for cutting corners) C:\PROGRA~l\Lavasoft\AD-AWA~l\Cache\WIND...\load.exe I quarantined it but the same alert came up again and i also quarantined that too. ive run ad-awar and quarentined 144 files (i feel dirty!) i expected a few but not that many (felt like discovering genital warts!) should i delet them all????? OMG its gone... i now have control of my web browser FANTASTIC :D heres the log

--==***@@@ 'FIND-ALL' VERSION 8.5 -5/29 @@@***==--


Sun May 30 18:23:02 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (78C2:5886) - FS:NTFS clusters:4k
Total: 10 248 663 040 [10G] - Free: 1 863 864 320 [1.7G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"BTopenworld"="IEAKBTopenworld"


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe


»»PC uptime:
6:23pm up 0 days, 1:39

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
376 smss.exe
452 csrss.exe Title:
476 winlogon.exe Title: NetDDE Agent
520 services.exe Svcs: Eventlog,PlugPlay
532 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
692 svchost.exe Svcs: RpcSs
716 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,helpsvc,lanmanserver,l
nmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclogon,SENS,SharedAccess,
hellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,wi
mgmt,wuauser
780 svchost.exe Svcs: Dnscache
836 svchost.exe Svcs: LmHosts,RemoteRegistry,WebClient
996 alg.exe Svcs: ALG
1036 NAVAPSVC.EXE Svcs: navapsvc
1188 svchost.exe Svcs: stisvc
1712 explorer.exe Title: Program Manager
1904 dragdiag.exe Title:
1916 NAVAPW32.EXE Title: Norton AntiVirus
1952 rundll32.exe Title: MediaCenter
1976 msmsgs.exe Title:
236 devldr32.exe Title: DEVLDR
748 wuauclt.exe Title: Auto Update Client Window
1380 getright.exe Title:
1184 iexplore.exe Title: SWI Forums -> Replying in browser hijacked - about:blank - Microsoft Internet Explorer provided by BTopenworld
1772 Ad-aware.exe Title: Ad-aware 6
204 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
608 ntvdm.exe
1820 iexplore.exe Title: Google - Microsoft Internet Explorer provided by BTopenworld
1988 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access SYSTEM\Administrator
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access SYSTEM\Administrator




Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Group/user settings:


User: [SYSTEM\Administrator], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SYSTEM\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
SYSTEM\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Sun May 30 18:23:08 2004 -- ++Find-All backups created:
A C:\DOCUME~1\ADMINI~1\Desktop\NEWFOL~1\winBackup.hiv
A C:\DOCUME~1\ADMINI~1\Desktop\NEWFOL~1\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



how happy am i to see the back of that?... thank you so much. your like the S.A.S of spyware, cheers geez :D right next mission... catch you in a bit

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 12:35 PM

Yeyyyy, it's all gone, indeed! :D

However, do post fresh hijackthis log once you
rescan and clean what's left off with Ad-Aware
and shredder.

Post the results of the registry search as well, as indicated earlier!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 12:45 PM

Shredder? is there another program i need? ive deleted everything i quarantined with ad-aware and im rescaning will send hijackthis log as soon as thats done

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 12:51 PM

1.) http://www.spywarein.../CWShredder.exe

2.) As for the virus, Download this registry search tool:
http://freeatlast.10...com/Regsrch.zip
Unzip, run the RegSrch.vbs file and copy and paste:
{F5B7D0BE-5f02-4211-96DB-386DFA244900}
As the string to search.
It will run for a while and generate report. copy and post it here as well!


And attach fresh hijackthis log as well.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 12:55 PM

ok... i get you. i must of got lost some where with my delight of freedom...

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 01:01 PM

2nd link has hiccups.
Get it directly from here:
http://freeatlast.10....com/index.html
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 01:38 PM

downloaded from the link you just sent and followed previous instructions

Unzip, run the RegSrch.vbs file and copy and paste:
{F5B7D0BE-5f02-4211-96DB-386DFA244900}
As the string to search.
It will run for a while and generate report. copy and post it here as well!

but the program just seems to disapear as soon as i paste {F5B7D0BE-5f02-4211-96DB-386DFA244900} and then click ok... its gone nothing there

heres the log from hijackthis

Logfile of HijackThis v1.97.7
Scan saved at 19:38:10, on 30/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\Navw32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....118/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojansca...an/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7853.5909837963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12118/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C98AB97C-DA24-447C-AC9B-D56322AECC72}: NameServer = 194.74.65.86 194.72.9.44

#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 01:42 PM

It's a script.
After pasting the string it'll search for 1-2 minutes.
Leave it alone untill it'll open wordpad with the generated output.

As for your hijacker, nicely n@iled: ;)

Just snip this line in hijackthis:
*R1 - HKCU\Software\Microsoft\
Internet Explorer\Main,HomeOldSP = about:blank
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 01:51 PM

deleted that line, but nothing has come up from the RegSrch

#18 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 01:54 PM

ive found this on my desktop... i dont know if this is what im looking for or wether its a back up from hijackthis

O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicd...ddm_control.CAB

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{4FCFF034-6F56-4D65-8C31-70D98C475428}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Contains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Contains\Files]
"C:\\WINDOWS\\Downloaded Program Files\\DDM_CONTROL.OCX"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{4FCFF034-6F56-4D65-8C31-70D98C475428}\DownloadInformation]
"CODEBASE"="http://bins.dynamicd...dm_control.CAB"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\ddm_control.INF"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{4FCFF034-6F56-4D65-8C31-70D98C475428}\InstalledVersion]
@="1,0,0,0"
"LastModified"="Fri, 29 Aug 2003 05:46:18 GMT"


[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}]
@="ddm_download.ddm_control"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Control]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}]

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}]

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}]

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}]

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\InprocServer32]
@="C:\\WINDOWS\\Downloaded Program Files\\DDM_CONTROL.OCX"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\MiscStatus\1]
@="131473"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\ProgID]
@="ddm_download.ddm_control"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\ToolboxBitmap32]
@="C:\\WINDOWS\\Downloaded Program Files\\DDM_CONTROL.OCX, 30000"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\TypeLib]
@="{06B6BFC6-B792-4AC8-8396-0C58A2BF59B0}"

[HKEY_CLASSES_ROOT\CLSID\{4FCFF034-6F56-4D65-8C31-70D98C475428}\Version]
@="1.0"

#19 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 02:51 PM

What you posted was the item removed by hijackthis.
It's backup on your desktop, you had to
keep hijackthis in a folder. It's needed for backups creation.

That wasn't the string to search.


***

Unzip, run the RegSrch.vbs file and copy and paste:
{F5B7D0BE-5f02-4211-96DB-386DFA244900}


Failing that you can search the registry manually, by hitting find/find next, exporting the results and posing it here as text.
That'll take a while..
--OR, you could just leave it in the good ol' hands &trust of 7~engines~Nortonware! :rolleyes:

As far as the original problem, consider it gone! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#20 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 03:45 PM

the original problem is definatly gone and i cant say how greatful i am for your time and wisdom... trust norton? from what ive just experianced it would be like letting mcdonalds look after your cow!

im just stuck on this RegSrch ive unziped it into a folder on my desktop and its unzipped one file. im double clicking it to open it then i cut and paste {F5B7D0BE-5f02-4211-96DB-386DFA244900} and click ok... it then disapears and nothing seems to happens... no matter how long i wait so i take it im doing some thing wrong

#21 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 03:59 PM

Do you have Norton script blocking installed?
That may be the reason.


As noted, you can search manually but it
requires some basic skills in the registry.

I'll post the steps once, and you can consider following:

Go to start/run/regedit

Go back up to main root/hilite 'My computer'.
Edit menu/ find: enter:
{F5B7D0BE-5f02-4211-96DB-386DFA244900}

On each result found, hilite the left
Subfolder/RightClick/export , name it and save somewhere.

Continue via find/find next...

When done, RightClick on each
exported key/edit to open as text and post here.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#22 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 04:44 PM

i think your first theory would sound correct let me go check it out and see how i go if i cant get a log for you im still over the moon with what help you have given me... cheers mr

#23 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 May 2004 - 05:52 PM

yep you was correct, i had norton script blocking on i now have a log for you

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{F5B7D0BE-5f02-4211-96DB-386DFA244900}" 30/05/2004 23:49:07

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"

see what you make of that and dont be in a hurry to answer i will be on some time tomorrow can carry on then... good night matey and thank you once again for everything.

#24 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 May 2004 - 04:30 AM

This is mighty odd... :scratchhead:
There is no file listed in the reg report.
It really looks like nothing, or at best an orphaned remnant of something previously removed.

As it is in current state it's harmless.

Let's try one more thing.
Download: "StartDreck.zip" from here:
http://freeatlast.10....com/index.html

Unzip and run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check this box only:
*Registry->'ShellServiceObjectDelayLoad(LM)'
hit >ok.

Use the "save" tab, to save, name and post the log!

-Run the registry search tool again and enter:
Trayz
As the search string.
Post the results.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#25 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 31 May 2004 - 09:10 AM

Good day to you my friend... heres the log from StartDreck...

StartDreck (build 2.1.5 public BETA) - 2004-05-30 @ 15:06:00
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

»Registry
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
*Trayz={F5B7D0BE-5f02-4211-96DB-386DFA244900}
`InprocServer32=C:\WINDOWS\fepeolca.dll
»Files
»System/Drivers
»Application specific

and heres the second log

StartDreck (build 2.1.5 public BETA) - 2004-05-30 @ 15:10:07
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

»Registry
»Run Keys
»Current User
»Run
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
*MSMSGS="C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*NAV Agent=C:\PROGRA~1\NORTON~1\navapw32.exe
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1

#26 spengle

spengle

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 31 May 2004 - 09:15 AM

yep you was correct, i had norton script blocking on i now have a log for you

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{F5B7D0BE-5f02-4211-96DB-386DFA244900}" 30/05/2004 23:49:07

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"

see what you make of that and dont be in a hurry to answer i will be on some time tomorrow can carry on then... good night matey and thank you once again for everything.

just in case i did anything wrong on the scan i have repeated it so that you can compair and see that it is correct.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{F5B7D0BE-5f02-4211-96DB-386DFA244900}" 30/05/2004 15:13:32

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Trayz"="{F5B7D0BE-5f02-4211-96DB-386DFA244900}"

#27 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 May 2004 - 10:06 AM

:D Pest is found!

*Trayz={F5B7D0BE-5f02-4211-96DB-386DFA244900}
`InprocServer32=C:\WINDOWS\fepeolca.dll

I'm amazed the registry search tool didn't show it! :scratchhead:

Now, do this:

Start new notepad text file!
Copy and paste to it the entire contents of the quote
box, save it as fix.reg
*Be sure to change to 'all files' in the 'types of files' drop box

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7D0BE-5f02-4211-96DB-386DFA244900}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Trayz"=-


-DoubleClick on the 'Fix.reg' file you saved, Answer 'yes' to the prompt!

-Restart computer, find
C:\WINDOWS\fepeolca.dll< delete!

Next,
As you misunderstood the 'second' log (again),
Disable useless 7~engines Nortonware, run the "RegSrch.vbs" file again,
Enter:
fepeolca.dll
As the string to search, copy and post the results.

In addition, run StartDreck again with the
first option, (»Registry
»ShellServiceObjectDelayLoad ) save the log and post to make
sure that value is gone.

Edited by freeatlast, 31 May 2004 - 10:20 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#28 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 04:58 AM

***New (updated) Steps:

1.) Download:
>>PestFix.zip<<

-Unzip!
-DoubleClick on->'PestFix.bat' file!
-Restart computer
-DoubleClick on the 'PestFix.bat' again (In case some files were inuse)

That should remove the virus and it's registry keys!

2.) Run the "RegSrch.vbs" file again,
Copy and paste:
fepeolca.dll
As the string to search, wait for the output, copy and post the results here!

3.) Run "StartDreck.exe":
Hit: -config
hit: -Unmark all
Check this box only:
*Registry->'ShellServiceObjectDelayLoad(LM)'
hit >ok.

Use the "save" tab, to save, name and post the log here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button