• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
MRREED

Can't download from most sites

26 posts in this topic

OK some might say same question again and again ... But i ve tried most tips i ve found around these forums alas nothing really worked to solve this last problem. I ve been using to all tools i could find from Merjin.org since some of the alternate links still allow download. However CWShreddder still finds and "removes" (at least it seems) same trojan after surfing the net a few hours. As for Hijackthis logs, since i m no computer shaman, remain quite mysterious to me. Believe me i m getting really desperate. To mention some main symptoms of what plagues my computer

-When it comes to download from most if not all websites dealing with spywares removal ... Symantec and alike NOTHING WORKS !!!

 

-My updated Norton 2003 doesn t help much either

 

-Windows update service is now unavailable for security patches (download stalls)

 

-And last when download seems to stall and i try to go back to previous page browser shuts down and i get this message "access violation at address 041A124F in module chp.dll. Read of address 000000000".

If Someone could help i d be sooooooo grateful

Cheers

Share this post


Link to post
Share on other sites

adding this if it helps

 

Logfile of HijackThis v1.97.7

Scan saved at 12:01:31, on 17/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MMTray.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Crazy Browser\Crazy Browser.exe

D:\Utilitaires\securite internet\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D2C436E3-F772-4933-9FAA-E67E45A789B4} - C:\WINDOWS\System32\heaogca.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\FMV5\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\BUREAU~1\Office\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)

O9 - Extra button: Messager Wanadoo (HKLM)

O9 - Extra 'Tools' menuitem: Messager Wanadoo (HKLM)

O9 - Extra button: Wanadoo (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a6d3d8142f93bf8105/...RdxIE601_fr.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.5334953704

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A6687580-263D-43AE-9144-1B11CD2D3024}: NameServer = 80.10.246.1 80.10.246.132

Share this post


Link to post
Share on other sites

:lol: Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

 

Please keep an eye on this message for a resolution shortly.

Edited by PGPhantom

Share this post


Link to post
Share on other sites

We need to get rid of your CoolWebSearch infection ...

  1. Download reglite
  2. install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ into the address bar.
  3. Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
  4. You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
  5. Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
  6. Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
  7. Rename the windows folder back to its original name "Windows".
  8. Run SpyBot, Ad-Aware and CWShredder
  9. Check the following three links for instructions on downloading and running the applications listed:

[*]Next step will be to remove this dll file so make sure you have it noted down.

[*]Procedure 1

  • Download KillBox
  • Unzip and start the application
  • Paste in the dir <path and name of dll as found in the appinit value box> e.g. C:\Windows\System32\nameofdll.dll
  • Menu Select Action => Delete on Reboot
  • Select File => Add file <It should add the path automatically>
  • <Same Window> Select Action => Process and Reboot

[*]Procedure 2 (If Procedure 1 did not work)

  • Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
  • This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
  • Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
  • Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
  • Carry out Procedure 1 again

[*]Restart your computer in safemode (How do I boot into "Safe" mode?)

[*]Open cmd window again as before

[*]Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.

[*]While in safe mode, run the 3 ad-removal programs again, just to make sure all traces are gone.

Run Hijack This and make sure that the following entries are no longer there (If they are, delete them):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {D2C436E3-F772-4933-9FAA-E67E45A789B4} - C:\WINDOWS\System32\heaogca.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a6d3d8142f93bf8105/...RdxIE601_fr.cab

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):

  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files [/color](all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".

Reboot again and log in normally, repost a new HijackThis log into this message for further review.

 

Please go to Microsoft Windows Update and download all critical updates - Specifically those relating to Internet Explorer.

Share this post


Link to post
Share on other sites

Thanks for the message

BTW just want to add this the trojan is identified as "CWS.search" at least the one removed by CWShredder hehe. I also noticed a significant loss of CPU speed like most people infected by such nasties.

 

No worries i m patient. :D

Cheers

Share this post


Link to post
Share on other sites

Be sure to post back a new log as soon as you are finished with the steps so that we can verify that your system is clean.

Share this post


Link to post
Share on other sites

Well well it s a nasty .dll indeed. Procedure 1 Killbox failed to eradicated the ctla.dll. Maybe i should have restarted in safe mode ? (as you mentioned in procedure 2) or should i use killbox while in safe mode?

 

I d appreciate if you could outline the lines of command for procedure 2.

 

Thanks PGPhantom you help is more than appreciated

 

Cheers

Share this post


Link to post
Share on other sites

What is the name of the dll file as found in the appinit entry? With that I can give you the complete syntax so all you should have to do is copy and paste.

Share this post


Link to post
Share on other sites

  1. Done
  2. Done
  3. Done
  4. Done
  5. Done
  6. Done
  7. Done
  8. Done
  9. Done

[*]Done

[*]Procedure 1

  • Download KillBox
  • Unzip and start the application
  • Paste in the dir <path and name of dll as found in the appinit value box> e.g. C:\Windows\System32\nameofdll.dll
  • Menu Select Action => Delete on Reboot
  • Select File => Add file <It should add the path automatically>
  • <Same Window> Select Action => Process and Reboot

[*]Procedure 2- Continue from this point on

  • Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
  • This will open a command window. Type in cd c:\windows\system32 and press enter. The prompt should change to c:\windows\system32>
  • Type in attrib -R ctla.dll
  • Carry out Procedure 1 again

[*]Restart your computer in safemode (How do I boot into "Safe" mode?)

[*]Open cmd window again as before

[*]Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.

[*]While in safe mode, run the 3 ad-removal programs again, just to make sure all traces are gone.

Run Hijack This and make sure that the following entries are no longer there (If they are, delete them):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\heaogca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {D2C436E3-F772-4933-9FAA-E67E45A789B4} - C:\WINDOWS\System32\heaogca.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a6d3d8142f93bf8105/...RdxIE601_fr.cab

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):

  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files [/color](all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".

Reboot again and log in normally, repost a new HijackThis log into this message for further review.

 

Please go to Microsoft Windows Update and download all critical updates - Specifically those relating to Internet Explorer.V

Share this post


Link to post
Share on other sites

Need advice ! When it come to type attrib -R ctla.dll the command failed (access denied or something like that). So i thought renaming the dll without using DOS command box, straight through explorer could work !?(ctla.dll is read only file and i no way to alter properties). I carried out procedure 1 again (killbox and reboot), rerun DOS command as you said and dll as found in the appinit value box is gone. However "attrib -R ctla.dll" is still there when i checked my system32 folder!

Is it ok ? can i proceed with the rest ?

Thanks for help

Share this post


Link to post
Share on other sites

Can you remove the read only attribut in safe mode? You can proceed with the rest and we'll keep an eye on it.

Share this post


Link to post
Share on other sites

Unfortunately no ! i can t remove it nor in normal neither in safe mode :blink:

Anyway i proceeded as told and ... something else is giving me headaches.

 

1 ---> C:\Documents and Settings\<Admin Profile>\Local Settings\

to mention one : Temp\CmdLineExt02.dll ---> access denied when i try to delete it !!!

2 ---> C:\Documents and Settings\<Admin Profile>\Local Settings\ Temporary Internet Files\Content IES. folder ---> Should i try to delete this?

 

Rest went well ... at least it seems

 

Anyway I m posting another HJT log so you can check it out

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:26:08, on 18/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MMTray.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Crazy Browser\Crazy Browser.exe

D:\Utilitaires\securite internet\hijackthis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\FMV5\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\BUREAU~1\Office\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)

O9 - Extra button: Messager Wanadoo (HKLM)

O9 - Extra 'Tools' menuitem: Messager Wanadoo (HKLM)

O9 - Extra button: Wanadoo (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.5334953704

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A6687580-263D-43AE-9144-1B11CD2D3024}: NameServer = 80.10.246.1 80.10.246.132

 

 

I just outlined 2 lines you asked to fix with HJT in safe mode. I did checked them but they re still here !!!

Share this post


Link to post
Share on other sites

Posting latest HJT log after setting Crazy Browser as default Internet browser but same homepage as i used to have for IE 6. Previous settings for Crazy Browser were blank page on start up. I wonder if it can help to point this out ?

 

Logfile of HijackThis v1.97.7

Scan saved at 11:22:56, on 18/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MMTray.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Crazy Browser\Crazy Browser.exe

D:\Utilitaires\securite internet\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\FMV5\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\BUREAU~1\Office\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)

O9 - Extra button: Messager Wanadoo (HKLM)

O9 - Extra 'Tools' menuitem: Messager Wanadoo (HKLM)

O9 - Extra button: Wanadoo (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.5334953704

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A6687580-263D-43AE-9144-1B11CD2D3024}: NameServer = 80.10.246.1 80.10.246.132

Share this post


Link to post
Share on other sites

Do you have any other users that use the same computer under a different user name? Their profile might be reintroducing the problem. I do not see much wrong with the log as posted but I have never heard of Crazy Browser?

 

If you have any other profile, can you log in as that user and run through the same procedure? Let me know if anything shows up in the appinit registry entry.

Share this post


Link to post
Share on other sites

Hi everyone !

Here is latest log as you requested PGPhantom. As you suggested i ran same procedure using the other profile i created just in case ...However i have to mention i never use it nor any other user.

Talking about Crazybrowser you can find it from website with same name.com if you want to check further info about it.

 

by the way, despite trying hard :angry: no way to change the read only status of attrib -R ctla.dll. Can't figure out how to delete it from the sustem32 folder

 

Good news are : HJT allowed me to delete this :"R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = " after last scan. the pesky CmdLineExt02.dll is gone as well. Rest of cleaning of temp and temporary Internet Folders cleared.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 00:31:05, on 19/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MMTray.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

D:\Utilitaires\securite internet\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\FMV5\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\BUREAU~1\Office\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)

O9 - Extra button: Messager Wanadoo (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Wanadoo (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.5334953704

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

 

Do i need voodoo now? :p

Share this post


Link to post
Share on other sites

The log looks clear but I am worried about the dll.

 

Can you reboot into safe mode: How do I boot into "Safe" mode?

 

Please download TheKillbox from here.

 

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

 

c:\windows\system32\ctla.dll

 

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

 

When you're back in windows, please run the latest version of cwshredder available from here.

 

Let me know if you are successful in deleting that file.

Share this post


Link to post
Share on other sites

OK ! Rebooted in safe mode. Used Killbox. Used CWShredder =clear. Browsed system32 folder and tadaaa... "attrib -R ctla.dll" is still here <_< . This dll must be made of some new virtual alloy :blink:

Hmmm...What about removing "attrib -R" reverting the dll to it s original form? Wouldn t killbox get a better "lock on target"? Or isn t it worth risking a new infection.

 

So far overall system behaviour improved with everything else removed. Maybe removing Crazybrowser helped? I just ran a few tests with latest version of "Opera" as new web browser and so far so good! i even managed to download a few files from a couple of websites (although i have not tried all crippled by the trojan) I might give up on MSIE 6, and secure it, entering fake proxy settings to make sure nothing slips through it. I know one can t remove MSIE 6 on XP ! :angry:

 

Waiting for more precious advices.

 

Cheers

Share this post


Link to post
Share on other sites

Thatb dll is sure perplexing to say the least - I'll post this problem in the helpers forum to see if anyone there can offer additional advice.

 

p.s. Do not give up on IE yet, especially not on XP with Service Pack 2 coming out - You will like what they have done :)

Share this post


Link to post
Share on other sites

I stay tuned for more info.

 

There s one thing that i want to point out but it may be irrelevant to our problem Everytime i log on internet so does my msn messenger despite everything allowing automated launch unchecked in the tools - settings panel. I found this out after some mail alert tiny window betrayed the pesky program and monitoring my Computer with the CTRL-ALT-DEL thingie. MSN Messenger did not appear active in first tab, only in 2nd. What confused me is what happened next. I looked for the msnmsg.exe, double clicked, double checked settings to disable the automation, and right clicked on the taskbar msnmsg icon to bring on the quit command. Guess what ?! The ...... program wouldn t comply some message asking me first to close all other active internet programs such as outlook, MSIE 6, ... Eventually I just closed the current messenger session leaving no icon in the taskbar. Is that a "security breach"? Could the ctla.dll involved. Is this all driving me paranoïd :huh:

 

Anyway let me tell you how grateful i am for this unvaluable help you provided me these last days.

Cheers

Share this post


Link to post
Share on other sites

Let's do the following ...

  • Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
  • This will open a command window. Type in ren c:\windows\system32\ctla.dll c:\windows\system32\ctla.old

Hopefully there will be no problme renaming the file. Then you can type in del c:\windows\system32\ctla.old.

 

You may have to perform this procedure in Safe mode and you may have to reboot after renaming the file. Let me know if this works.

 

Two more things I would like - After you have done the above, can you please post a new HijackThis log and from HijackThis, in the bottom right corner click on "Config", then on the "Misc Tools" tab, then click on "Generate Startup LIst". Post the results of both back here. Hopefully that will tell us a bit more and we can narrow down MSN for you.

Share this post


Link to post
Share on other sites

I also met a similar problem. When downloading Hijackthis, it ends

with a message "can't save to your disk" at 99 percent finished.

I guess maybe some dlls are spoiled by trojan.

Share this post


Link to post
Share on other sites

kenji - If you could, please start a new post with your problem. Posting in another message only serves to confuse everyone involved as it gets far too complicated to track. Thank you for your consideration.

Share this post


Link to post
Share on other sites

Guess what PGPhantom ! the DOS commands didn t work! Same answer over and over "access denied". :blink: <_< . I started to wonder if anything less than a tactical nuke would work :huh: That s when this little voice whispered :"use the Force Luke...". :ph34r:

No seriously A mere READ-ONLY file driving me nuts. That was the thing i focused on. Right clicking on the dll file and clicking properties i realized there was a security tab available !!! a tab listing who and what could do admin user or guests. A minute later the dll was vaporized, gone, ciao ciao, no more... Can you believe i missed that thing for 2 days!

 

and now here go the logs you asked for

 

Logfile of HijackThis v1.97.7

Scan saved at 02:37:01, on 20/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MMTray.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Opera75\opera.exe

D:\Utilitaires\securite internet\hijackthis1977\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\FMV5\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\BUREAU~1\Office\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)

O9 - Extra button: Messager Wanadoo (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Wanadoo (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.5334953704

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A6687580-263D-43AE-9144-1B11CD2D3024}: NameServer = 80.10.246.1 80.10.246.132

 

 

and the startup list

 

StartupList report, 20/05/2004, 02:41:57

StartupList version: 1.52

Started from : D:\Utilitaires\securite internet\hijackthis1977\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MMTray.exe

C:\PROGRA~1\Wanadoo\CnxMon.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

D:\Utilitaires\securite internet\hijackthis1977\HijackThis.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

MMTray = MMTray.exe

WooCnxMon = C:\PROGRA~1\Wanadoo\CnxMon.exe

WOOWATCH = C:\PROGRA~1\Wanadoo\Watch.exe

Microsoft Inet Xp.. =

SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

STYLEXP =

IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

ccApp = "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

TransparentIcons =

BlockAds =

Tweak-XP =

TransTask =

(Default) =

STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[YInstStarter Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

 

[installShield International Setup Player]

InProcServer32 = c:\windows\downlo~1\isetup.dll

CODEBASE = http://www.installengine.com/engine/isetup.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7876.5334953704

 

[MSN Photo Upload Tool]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll

CODEBASE = http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

[MSN Chat Control 4.5]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx

CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 5 921 bytes

Report generated in 0,040 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

Cheers

Share this post


Link to post
Share on other sites

Looking so much better :) Thanks for sticking in there on this.

 

Please go to Microsoft Windows Update and download all "Critical" updates for your system -Specifically the service pack for IE and XP Service Pack1 = These are crucial

 

After that is done ...

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

More info and download is available at:

Spywareblaster

Spywareguard

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

 

More info and download is available at:

IE/Spyad

 

On a regular basis - Use Ad-Aware to check your system for any and all infections => How to use Ad-Aware to remove Spyware

 

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites

It has been a pleasure to help you :)

 

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0