Jump to content


Photo

CWS problem, very persistant strain


  • Please log in to reply
12 replies to this topic

#1 kromekoran

kromekoran

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 02:18 AM

I was infected last week with another CWS hijacker, my third so far. In the past Merjin’s CWShredder has done the job of eradicating it from my system, but no luck this time. I’m all up to date with my removal programs, including Ad Aware.

I ran Ad Aware and it found 398 infected files. I deleted them all, as well as followed some advice I found in other threads here; including one that recommended to delete a file called wintime.exe, which seemed to be responsible for a download pop-up and prompt, about every fifteen minutes. That one seems to be gone, but I still can’t change my home page, and my connection is still extremely slow.

I’m running HijackThis every time I boot up, and fixing the obvious files, but they keep coming back. Any help would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 12:09:45 AM, on 6/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SHITE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8001.1416435185
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O19 - User stylesheet: C:\WINDOWS\win32.bmp

#2 Matrix

Matrix

    Member

  • New Member
  • Pip
  • 1 posts

Posted 03 June 2004 - 03:25 AM

Just a suggestion, but did you try emptying your Recycle Bin?

TM

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 03:35 AM

OK, could you just check something for me before we start the clean-up. Please surf to http://www.billsway.com/vbspage/ and scroll down to Registry Search Tool. Download, unzip and run RegSrch.vbs (you may need to enable your antivirus program to run the file)

Copy and paste this in the dialog box: system32.dll

After a while a prompt will come up. Click OK to write the results to wordpad and post them.
Posted Image

#4 kromekoran

kromekoran

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 05:13 AM

I d/led and ran the script , but it doesn't work. I just get a "not responding", and I tried four or five times.

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 05:48 AM

OK, try this alternative, I'll start the cleanup in the meantime. Download PV from
http://tools.zerosrealm.com/pv.zip

Create a folder on your desktop called PV then extract all the files in pv.zip to that folder. It will not work if you run it from inside the zip. After unzipping open the PV folder. Double click on the runme.bat

A dos window will open. Please select option 8 and press enter, then choose option 7 on the next menu. At the prompt, type in (or copy from here):

system32.dll

and press the OK button. Notepad will open with a log in it. Please copy and paste the log into this post.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O19 - User stylesheet: C:\WINDOWS\win32.bmp

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINDOWS\win32.exe

Reboot when done, rescan with HJT and post a new log here
Posted Image

#6 kromekoran

kromekoran

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 06:32 AM

there is no option 8, but options 1 and 2 are for Explorer and Internet Explorer Dlls respectively, so I'll just post those on the assumption that one of them is what you're looking for:


Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
WEBVW.DLL 7f1b0000 2138112 C:\WINDOWS\SYSTEM\WEBVW.DLL 5.50.4134.100 Shell WebView Content & Control Library
WIASHEXT.DLL 742f0000 454656 C:\WINDOWS\SYSTEM\WIASHEXT.DLL 4.90.3000.1 Imaging Devices Shell Folder UI
STI.DLL 75910000 114688 C:\WINDOWS\SYSTEM\STI.DLL 4.90.3000.1 Still Image Devices client DLL
IPROP.DLL 7b5f0000 114688 C:\WINDOWS\SYSTEM\IPROP.DLL 4.00 OLE PropertySet Implementation
SETUPAPI.DLL 76140000 581632 C:\WINDOWS\SYSTEM\SETUPAPI.DLL 5.00.2195.1526 Windows Setup API
CABINET.DLL 7e0c0000 77824 C:\WINDOWS\SYSTEM\CABINET.DLL 5.00.2147.1 Microsoft® Cabinet File API
LZ32.DLL bfe40000 24576 C:\WINDOWS\SYSTEM\LZ32.DLL 4.90.3000 Win32 LZ32 core component
WIASTATD.DLL 742e0000 24576 C:\WINDOWS\SYSTEM\WIASTATD.DLL 4.90.3000.1 WIA Status Dialog
MSONSEXT.DLL 78990000 573440 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\MSONSEXT.DLL
PSICON.DLL 18e0000 114688 C:\PROGRAM FILES\COMMON FILES\ADOBE\SHELL\PSICON.DLL 6.0 Icons for Adobe Photoshop
MSHTMLED.DLL 70f30000 450560 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 6.00.2600.0000 Microsoft ® HTML Editing Component
IDLEPROC.DLL 67f00000 28672 C:\PROGRAM FILES\AMERICA ONLINE 8.0\IDLEPROC.DLL 8.00.000 IDLEPROC DLL
WZSHLSTB.DLL 16200000 24576 C:\PROGRAM FILES\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
STUFFITMENU.DLL 1820000 188416 C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\STUFFITMENU.DLL 8.0.0.14 StuffIt Shell Extension - Context Menu Handler
ALADDIN.DLL 1850000 118784 C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\ALADDIN.DLL 8.0.0.148 Aladdin Common Library
MSVCP70.DLL 7c080000 487424 C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\MSVCP70.DLL 7.00.9466.0 Microsoft® C++ Runtime Library
MFC70.DLL 7c140000 974848 C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\MFC70.DLL 7.00.9466.0 MFCDLL Shared Library - Retail Version
OLEACC.DLL 77410000 176128 C:\WINDOWS\SYSTEM\OLEACC.DLL 4.2.3130.0 Active Accessibility Core Component
MSVCR70.DLL 7c000000 344064 C:\PROGRAM FILES\ALADDIN SYSTEMS\STUFFIT STANDARD\MSVCR70.DLL 7.00.9466.0 Microsoft® C Runtime Library
DOCPROP2.DLL 7cb70000 331776 C:\WINDOWS\SYSTEM\DOCPROP2.DLL 5.00.2136.1 DocProp2
AVIFIL32.DLL 7e460000 98304 C:\WINDOWS\SYSTEM\AVIFIL32.DLL 4.90.3000 Microsoft AVI File support library
CRTDLL.DLL 7fb20000 180224 C:\WINDOWS\SYSTEM\CRTDLL.DLL 3.50 Microsoft C Runtime Library
MSVFW32.DLL 77ee0000 147456 C:\WINDOWS\SYSTEM\MSVFW32.DLL 4.90.3000 Microsoft Video for Windows DLL
WOW32.DLL bfdc0000 20480 C:\WINDOWS\SYSTEM\WOW32.DLL 4.90.3000 Win32 WOW32 core component
DCIMAN32.DLL 7d190000 24576 C:\WINDOWS\SYSTEM\DCIMAN32.DLL 4.90.3000 DCI Manager 1.00
QISWCINE.CPL 2440000 233472 C:\WINDOWS\SYSTEM\QISWCINE.CPL 1, 0, 11, 1005 Software CineMaster Control Panel
WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.90.3000 Win32 WINSPOOL core component
IMGUTIL.DLL 70510000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 6.00.2600.0000 IE plugin image decoder support DLL
JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.6626 Microsoft ® JScript
CRYPTNET.DLL 7da50000 53248 C:\WINDOWS\SYSTEM\CRYPTNET.DLL 5.131.2133.2 Crypto Network Related API
WLDAP32.DLL 77950000 167936 C:\WINDOWS\SYSTEM\WLDAP32.DLL 5.00.2168.1 Win32 LDAP API DLL
RSAENH.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSAENH.DLL 5.00.2133.2 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
WINTRUST.DLL 741d0000 176128 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.2133.2 Microsoft Trust Verification APIs
IMAGEHLP.DLL 7d750000 118784 C:\WINDOWS\SYSTEM\IMAGEHLP.DLL 4.00 Windows NT Image Helper
SCRBLOCK.DLL 1a10000 122880 C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPT BLOCKING\SCRBLOCK.DLL 1, 1, 0, 126 ScriptBlocking
SCRAUTH.DLL 1940000 110592 C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPT BLOCKING\SCRAUTH.DLL 1, 1, 0, 126 ScriptBlocking Authenticator
BROWSELC.DLL 71950000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL 6.00.2600.0000 Shell Browser UI Library
MYDOCS.DLL 77b80000 81920 C:\WINDOWS\SYSTEM\MYDOCS.DLL 5.50.4134.100 My Documents Folder UI
MSADP32.ACM 73330000 32768 C:\WINDOWS\SYSTEM\MSADP32.ACM 4.90.3000 Microsoft ADPCM CODEC for MSACM
MSACM32.DLL 7a1e0000 102400 C:\WINDOWS\SYSTEM\MSACM32.DLL 4.90.3000 Microsoft Audio Compression Manager
WINMM.DLL bfdd0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.90.3000 System APIs for Multimedia
CFGMGR32.DLL 7f720000 40960 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.90.3000 Configuration Manager Win32 Interface
LINKINFO.DLL 7faa0000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.90.3000 Windows Volume Tracking
ES.DLL 717a0000 118784 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
SENS.DLL 60100000 69632 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4522.1800 System Event Notification Service (SENS)
ESTIER2.DLL 71800000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
ESSHARED.DLL 717d0000 69632 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
MSH_ZWF.DLL d2d0000 61440 C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\MSH_ZWF.DLL
SYSTEM32.DLL 10000000 32768 C:\WINDOWS\SYSTEM32\SYSTEM32.DLL
COMDLG32.DLL 7fe00000 208896 C:\WINDOWS\SYSTEM\COMDLG32.DLL 5.50.4134.100 Common Dialogs DLL
AUHOOK.DLL 1f20000 36864 C:\WINDOWS\SYSTEM\AUHOOK.DLL 5.4.1083.11 Microsoft AutoUpdate
WEBCHECK.DLL 70340000 266240 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 6.00.2600.0000 Web Site Monitor
ACTXPRXY.DLL 703d0000 110592 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 6.00.2600.0000 ActiveX Interface Marshaling Library
MSI.DLL 1a60000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.1 Windows Installer
IMM32.DLL bfe00000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.90.3000 Win32 IMM32 core component
MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
SHDOCLC.DLL 718b0000 557056 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 6.00.2600.0000 Shell Doc Object and Control Library
IPHLPAPI.DLL 7b610000 49152 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 4.90.3000.2 IP Helper API
MSAFD.DLL 79fb0000 40960 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.90.3000 Microsoft Windows Sockets 2.0 Service Provider
DHCPCSVC.DLL 7cee0000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7bbd0000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
NTDLL.DLL bfe70000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.90.3000 Win32 NTDLL core component
RASAPI32.DLL 7f7a0000 249856 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.90.3000 Dial-Up Networking Dynamic Linked Library
WSOCK32.DLL 736d0000 36864 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.90.3000 BSD Socket API for Windows
MSWSOCK.DLL 77d70000 81920 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.90.3000 Microsoft WinSock Extension APIs
WS2_32.DLL 73710000 69632 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.90.3000 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 73700000 20480 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.90.3000 Windows Socket 2.0 Helper for Windows 98
SECUR32.DLL 7f780000 69632 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.90.3000 Microsoft Win32 Security Services (Export Version)
SVRAPI.DLL 7f870000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.90.3000 32-bit common Server API library
MSNET32.DLL 7fa30000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.90.3000 Microsoft 32-bit Network API Library
MSPWL32.DLL 7fa70000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.90.3000 Password list management library
TAPI32.DLL 7f880000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.90.3000 Microsoft® Windows™ Telephony API Client DLL
NETAPI32.DLL 7f8b0000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.90.3000 32-bit network API DLL
NETBIOS.DLL 7f750000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
MPR.DLL 7f160000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.90.3000 WIN32 Network Interface DLL
WININET.DLL 70200000 606208 C:\WINDOWS\SYSTEM\WININET.DLL 6.00.2600.0000 Internet Extensions for Win32
CRYPT32.DLL 7da90000 479232 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.2133.3 Crypto API32
RPCRT4.DLL 7fab0000 344064 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.3335 Remote Procedure Call DLL
MSASN1.DLL 79f80000 65536 C:\WINDOWS\SYSTEM\MSASN1.DLL 4.4.3420 Microsoft ASN.1 Encoder/Decoder
OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518
MSHTML.DLL 70c50000 2764800 C:\WINDOWS\SYSTEM\MSHTML.DLL 6.00.2600.0000 Microsoft ® HTML Viewer
MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2600.0000 Multi Language Support DLL
URLMON.DLL 702b0000 491520 C:\WINDOWS\SYSTEM\URLMON.DLL 6.00.2600.0000 OLE32 Extensions for Win32
VERSION.DLL bfe50000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.90.3000 Win32 VERSION core component
BROWSEUI.DLL 71160000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 6.00.2600.0000 Shell Browser UI Library
SHDOCVW.DLL 71000000 1343488 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 6.00.2600.0000 Shell Doc Object and Control Library
OLE32.DLL 7ff20000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.3328 Microsoft OLE for Windows and Windows NT
SHELL32.DLL 7fbd0000 2285568 C:\WINDOWS\SYSTEM\SHELL32.DLL 5.50.4134.100 Windows Shell Common Dll
EXPLORER.EXE 400000 225280 C:\WINDOWS\EXPLORER.EXE 5.50.4134.100 Windows Explorer
COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 70bd0000 409600 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 6.00.2600.0000 Shell Light-weight Utility Library
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft ® C Runtime Library
USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
KERNEL32.DLL bff60000 536576 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel core component



Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
CRTDLL.DLL 7fb20000 180224 C:\WINDOWS\SYSTEM\CRTDLL.DLL 3.50 Microsoft C Runtime Library
COMDLG32.DLL 7fe00000 208896 C:\WINDOWS\SYSTEM\COMDLG32.DLL 5.50.4134.100 Common Dialogs DLL
MSRATING.DLL 70400000 143360 C:\WINDOWS\SYSTEM\MSRATING.DLL 6.00.2600.0000 Internet Ratings and Local User Management DLL
MSRATELC.DLL 30000000 69632 C:\WINDOWS\SYSTEM\MSRATELC.DLL 6.00.2600.0000 Internet Ratings and Local User Management DLL
MSHTMLED.DLL 70f30000 450560 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 6.00.2600.0000 Microsoft ® HTML Editing Component
RNR20.DLL 766b0000 57344 C:\WINDOWS\SYSTEM\RNR20.DLL 4.90.3000 Windows Socket2 NameSpace DLL
MSADP32.ACM 73330000 32768 C:\WINDOWS\SYSTEM\MSADP32.ACM 4.90.3000 Microsoft ADPCM CODEC for MSACM
MSACM32.DLL 7a1e0000 102400 C:\WINDOWS\SYSTEM\MSACM32.DLL 4.90.3000 Microsoft Audio Compression Manager
WINMM.DLL bfdd0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.90.3000 System APIs for Multimedia
JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.6626 Microsoft ® JScript
CRYPTNET.DLL 7da50000 53248 C:\WINDOWS\SYSTEM\CRYPTNET.DLL 5.131.2133.2 Crypto Network Related API
WLDAP32.DLL 77950000 167936 C:\WINDOWS\SYSTEM\WLDAP32.DLL 5.00.2168.1 Win32 LDAP API DLL
RSAENH.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSAENH.DLL 5.00.2133.2 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
WINTRUST.DLL 741d0000 176128 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.2133.2 Microsoft Trust Verification APIs
IMAGEHLP.DLL 7d750000 118784 C:\WINDOWS\SYSTEM\IMAGEHLP.DLL 4.00 Windows NT Image Helper
SCRBLOCK.DLL 10000000 122880 C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPT BLOCKING\SCRBLOCK.DLL 1, 1, 0, 126 ScriptBlocking
SCRAUTH.DLL 1940000 110592 C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPT BLOCKING\SCRAUTH.DLL 1, 1, 0, 126 ScriptBlocking Authenticator
IMM32.DLL bfe00000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.90.3000 Win32 IMM32 core component
MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
MSHTML.DLL 70c50000 2764800 C:\WINDOWS\SYSTEM\MSHTML.DLL 6.00.2600.0000 Microsoft ® HTML Viewer
MSAFD.DLL 79fb0000 40960 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.90.3000 Microsoft Windows Sockets 2.0 Service Provider
MSH_ZWF.DLL d2d0000 61440 C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\MSH_ZWF.DLL
IDLEPROC.DLL 67f00000 28672 C:\PROGRAM FILES\AMERICA ONLINE 8.0\IDLEPROC.DLL 8.00.000 IDLEPROC DLL
WSOCK32.DLL 736d0000 36864 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.90.3000 BSD Socket API for Windows
MSWSOCK.DLL 77d70000 81920 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.90.3000 Microsoft WinSock Extension APIs
WS2_32.DLL 73710000 69632 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.90.3000 Windows Socket 2.0 32-Bit DLL
RASAPI32.DLL 7f7a0000 249856 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.90.3000 Dial-Up Networking Dynamic Linked Library
SECUR32.DLL 7f780000 69632 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.90.3000 Microsoft Win32 Security Services (Export Version)
SVRAPI.DLL 7f870000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.90.3000 32-bit common Server API library
MSNET32.DLL 7fa30000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.90.3000 Microsoft 32-bit Network API Library
MSPWL32.DLL 7fa70000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.90.3000 Password list management library
TAPI32.DLL 7f880000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.90.3000 Microsoft® Windows™ Telephony API Client DLL
NETAPI32.DLL 7f8b0000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.90.3000 32-bit network API DLL
NETBIOS.DLL 7f750000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
MPR.DLL 7f160000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.90.3000 WIN32 Network Interface DLL
WS2HELP.DLL 73700000 20480 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.90.3000 Windows Socket 2.0 Helper for Windows 98
MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2600.0000 Multi Language Support DLL
SHDOCLC.DLL 718b0000 557056 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 6.00.2600.0000 Shell Doc Object and Control Library
URLMON.DLL 702b0000 491520 C:\WINDOWS\SYSTEM\URLMON.DLL 6.00.2600.0000 OLE32 Extensions for Win32
VERSION.DLL bfe50000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.90.3000 Win32 VERSION core component
WININET.DLL 70200000 606208 C:\WINDOWS\SYSTEM\WININET.DLL 6.00.2600.0000 Internet Extensions for Win32
OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518
CRYPT32.DLL 7da90000 479232 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.2133.3 Crypto API32
RPCRT4.DLL 7fab0000 344064 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.3335 Remote Procedure Call DLL
MSASN1.DLL 79f80000 65536 C:\WINDOWS\SYSTEM\MSASN1.DLL 4.4.3420 Microsoft ASN.1 Encoder/Decoder
BROWSELC.DLL 71950000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL 6.00.2600.0000 Shell Browser UI Library
BROWSEUI.DLL 71160000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 6.00.2600.0000 Shell Browser UI Library
OLE32.DLL 7ff20000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.3328 Microsoft OLE for Windows and Windows NT
SHELL32.DLL 7fbd0000 2285568 C:\WINDOWS\SYSTEM\SHELL32.DLL 5.50.4134.100 Windows Shell Common Dll
IEXPLORE.EXE 400000 102400 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 6.00.2600.0000 Internet Explorer
SHDOCVW.DLL 71000000 1343488 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 6.00.2600.0000 Shell Doc Object and Control Library
COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 70bd0000 409600 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 6.00.2600.0000 Shell Light-weight Utility Library
USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft ® C Runtime Library
KERNEL32.DLL bff60000 536576 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel core component

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 06:38 AM

Hmmm... odd, shadowwar must have modified it :unsure:

I didn't need to see those files - let's have a look at your new HJT log after cleaning.
Posted Image

#8 kromekoran

kromekoran

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 07:25 AM

here's my new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 5:20:38 AM, on 6/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\DESKTOP\SHITE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8001.1416435185


Odd thing, even though I still have my home page hijacked, my connection seems to be back to normal speed.

I deleted the win32 files.

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 07:30 AM

Let's double check on the system32.dll entry - that's what will be causing the hijack. Create a StartupList log - run HijackThis, click the "Config" button, click the "Misc Tools" button.

Select both options "List minor ...", and "List empty ..." Click the "Generate StartupList log" button (generates "startuplist.txt")

Scroll down to the following section: (near the bottom)

Enumerating ShellServiceObjectDelayLoad items

Copy and Paste the contents of that section only to your next post.
Posted Image

#10 kromekoran

kromekoran

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 08:01 AM

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
System: C:\WINDOWS\system32\system32.dll

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 08:15 AM

OK try this. Download the file attached to this post and save it to the Desktop. When done double click the clear.reg when asked to merge say yes

Reboot your computer, then find and delete this file:

C:\WINDOWS\system32\system32.dll (leave everything else in the System32 folder alone)

With only HJT running, have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php


Reboot once again. Click here to make sure that you have the latest Critical Update patches for Windows.

Rescan with HJT and post a final log.

Attached Files


Posted Image

#12 kromekoran

kromekoran

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 09:41 AM

dude, you are my hero. I believe it's worked, and you have my thanks.

here's my final log:

Logfile of HijackThis v1.97.7
Scan saved at 7:39:56 AM, on 6/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\SHITE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8001.1416435185

#13 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 10:39 AM

That's a clean log - well done :D
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button