• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Turbo123

Desperatly need help to remove CWS

7 posts in this topic

:wtf:

 

I have fought against CWS for a month now.

Have tried Adaware, Spybot, CWSshredder and so on.

Nothing seems to work, it keeps poping up.

 

I have the "version" of cws that change my startpage in IE and creates popups.

 

PLEASE HELP!

 

Logfile of HijackThis v1.97.7

Scan saved at 18:36:53, on 2004-06-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton Internet Security\NISUM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Norton Internet Security\ccPxySvc.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\ICQLite\ICQLite.exe

C:\Program\Creative\Prodikeys\Prodload.exe

C:\Program\D-Tools\daemon.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Internet Explorer\iexplore.exe

G:\Download\Program\säkerhet\hijackthis\HijackThis.exe

C:\WINDOWS\notepad.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/3535/search.php?qq=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {64E7C4C7-8F84-4C25-81DE-6D45583DAB90} - C:\WINDOWS\System32\gipk.dll (file missing)

O2 - BHO: (no name) - {A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E} - C:\WINDOWS\System32\pbnn.dll (file missing)

O2 - BHO: (no name) - {AFA45877-1A06-4E8F-9E8A-FADBF6FF865C} - C:\WINDOWS\System32\mcnjma.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [ProdikeysAutorun] C:\Program\Creative\Prodikeys\Prodload.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8077.5704050926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6A802FC7-B4DF-4DB5-8A7C-6AA57F43D94D}: NameServer = 212.181.52.2,212.181.52.3,194.236.29.2

Edited by Turbo123

Share this post


Link to post
Share on other sites

In hijackthis fix checked:

 

*O2 - BHO: (no name) - {A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E} - C:\WINDOWS\System32\pbnn.dll (file missing)

*O2 - BHO: (no name) - {AFA45877-1A06-4E8F-9E8A-FADBF6FF865C} - C:\WINDOWS\System32\mcnjma.dll (file missing)

 

Download: "Find-All.exe" from any of the links in my signature.

Install, Run the included 'FIND-ALL.CMD' file, post the log here!

Share this post


Link to post
Share on other sites

I have deleted the two keys you named.

 

Here is my find-all log:

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--

 

 

Fri Jun 04 19:04:53 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (947E:0B39) - FS:NTFS clusters:4k

Total: 31 453 437 952 [29G] - Free: 20 599 267 328 [19G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program\Internet Explorer\Iexplore.exe

--a-- W32i APP SVE 6.0.2800.1106 shp 91,136 09-09-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program\Windows Media Player\wmplayer.exe

--a-- W32i APP SVE 9.0.0.2980 shp 73,728 12-20-2002 wmplayer.exe

6.4.9.1125 C:\Program\Windows Media Player\mplayer2.exe

--a-- W32i APP SVE 6.4.9.1125 shp 4,639 09-09-2002 mplayer2.exe

 

»»M$Java version:

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP SVE 5.1.2600.1106 shp 136,192 09-09-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 09-28-2001 regedt32.exe

 

 

»»PC uptime:

7:04pm up 0 days, 0:44

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\LOGILOI.DLL +++ File read error

\\?\C:\WINDOWS\System32\LOGILOI.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

664 smss.exe

720 csrss.exe Title:

744 winlogon.exe Title: NetDDE Agent

804 services.exe Svcs: Eventlog,PlugPlay

816 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

1012 svchost.exe Svcs: RpcSs

1072 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa

ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec

ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time

winmgmt,wuau

1176 svchost.exe Svcs: Dnscache

1240 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient

1424 spoolsv.exe Svcs: Spooler

1740 explorer.exe Title: Program Manager

1912 CCEVTMGR.EXE Svcs: ccEvtMgr

1960 NAVAPSVC.EXE Svcs: navapsvc

204 NISUM.EXE Svcs: NISUM

376 nvsvc32.exe Svcs: NVSvc

572 CCPXYSVC.EXE Svcs: ccPxySvc

1520 ccApp.exe Title: Norton AntiVirus

1636 ICQLite.exe Title: 14755035

1660 ProdLoad.exe Title: Hot Keys Configuration

1668 daemon.exe Title: Virtual DAEMON Manager V3.33

1704 qttask.exe Title: QTPlayer Tray Icon

1560 ctfmon.exe Title:

2176 msmsgs.exe Title:

2392 iexplore.exe Title: SWI Forums -> Desperatly need help to remove CWS - Microsoft Internet Explorer

4008 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

4088 ntvdm.exe

1156 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64E7C4C7-8F84-4C25-81DE-6D45583DAB90}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFA45877-1A06-4E8F-9E8A-FADBF6FF865C}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Anv„ndare

(IO) ALLOW Read BUILTIN\Anv„ndare

(NI) ALLOW Read BUILTIN\Privilegierade anv„ndare

(IO) ALLOW Read BUILTIN\Privilegierade anv„ndare

(NI) ALLOW Full access BUILTIN\Administrat”rer

(IO) ALLOW Full access BUILTIN\Administrat”rer

(NI) ALLOW Full access NT INSTANS\SYSTEM

(IO) ALLOW Full access NT INSTANS\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrat”rer

(IO) ALLOW Full access SKAPARE ŽGARE

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Anv„ndare

Read BUILTIN\Privilegierade anv„ndare

Full access BUILTIN\Administrat”rer

Full access NT INSTANS\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [MAXTOR\Johan], is a member of:

 

BUILTIN\Administratörer

\Everyone

 

User is a member of group MAXTOR\Ingen.

User is a member of group \Alla.

User is a member of group BUILTIN\Administratörer.

User is a member of group BUILTIN\Användare.

User is a member of group \LOKAL.

User is a member of group NT INSTANS\INTERAKTIV.

User is a member of group NT INSTANS\Autentiserade användare.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administratörer:(OI)(CI)F

NT INSTANS\SYSTEM:(OI)(CI)F

MAXTOR\Johan:F

SKAPARE ÄGARE:(OI)(CI)(IO)F

BUILTIN\Användare:(OI)(CI)R

BUILTIN\Användare:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Användare:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: Det finns inga fler filer.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file Size: (Default/plain: ~732-4 bytes)

--a-- - - - - - 710 09-28-2001 oldhosts.txt

------

»»Rehash:

 

Fri Jun 04 19:05:03 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-04-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-04-2004 windows.txt

--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv

--a-- - - - - - 632 06-04-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

 

 

----------------------------

---------------------------

 

AND HERE IS MY HIJACK LOG

after I deleted the two reg keys.

 

Logfile of HijackThis v1.97.7

Scan saved at 19:07:21, on 2004-06-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton Internet Security\NISUM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Norton Internet Security\ccPxySvc.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\ICQLite\ICQLite.exe

C:\Program\Creative\Prodikeys\Prodload.exe

C:\Program\D-Tools\daemon.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\regedit.exe

G:\Download\Program\säkerhet\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/3535/search.php?qq=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {64E7C4C7-8F84-4C25-81DE-6D45583DAB90} - C:\WINDOWS\System32\gipk.dll (file missing)

O2 - BHO: (no name) - {A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E} - (no file)

O2 - BHO: (no name) - {AFA45877-1A06-4E8F-9E8A-FADBF6FF865C} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [ProdikeysAutorun] C:\Program\Creative\Prodikeys\Prodload.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8077.5704050926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6A802FC7-B4DF-4DB5-8A7C-6AA57F43D94D}: NameServer = 212.181.52.2,212.181.52.3,194.236.29.2

Share this post


Link to post
Share on other sites

You seem to have the 'classic' pest there!

 

-FIRST--

And before doing anything else, go to System

Restore, make sure it's active and create manual restore

point as safety procedure.

 

Next, follow these steps carefully:

 

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

 

--Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

--RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

--Locate "AppInit_DLLs" value on the right

pane, RightClick it and select -> 'delete'

 

--Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

--Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

--Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ LOGILOI.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

---Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

Did what you told me!

 

Here´s my log again:

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--

 

 

Fri Jun 04 19:53:51 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (947E:0B39) - FS:NTFS clusters:4k

Total: 31 453 437 952 [29G] - Free: 20 604 035 072 [19G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program\Internet Explorer\Iexplore.exe

--a-- W32i APP SVE 6.0.2800.1106 shp 91,136 09-09-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program\Windows Media Player\wmplayer.exe

--a-- W32i APP SVE 9.0.0.2980 shp 73,728 12-20-2002 wmplayer.exe

6.4.9.1125 C:\Program\Windows Media Player\mplayer2.exe

--a-- W32i APP SVE 6.4.9.1125 shp 4,639 09-09-2002 mplayer2.exe

 

»»M$Java version:

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP SVE 5.1.2600.1106 shp 136,192 09-09-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 09-28-2001 regedt32.exe

 

 

»»PC uptime:

7:53pm up 0 days, 0:02

 

»»Locked or 'Suspect' file(s) found...

* result\\?\C:\junkxxx\LOGILOI.DLL

 

 

»»Tasks (services):

0 System Process

4 System

664 smss.exe

720 csrss.exe Title:

744 winlogon.exe Title: NetDDE Agent

788 services.exe Svcs: Eventlog,PlugPlay

800 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

960 svchost.exe Svcs: RpcSs

1008 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa

ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec

ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time

winmgmt,wuau

1112 svchost.exe Svcs: Dnscache

1164 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient

1316 spoolsv.exe Svcs: Spooler

1592 explorer.exe Title: Program Manager

1724 ccApp.exe Title: Norton AntiVirus

1768 ICQLite.exe Title: FBServiceTimer

1792 ProdLoad.exe Title: Hot Keys Configuration

1828 daemon.exe Title: Virtual DAEMON Manager V3.33

1836 qttask.exe Title: QTPlayer Tray Icon

1844 ctfmon.exe Title:

1976 CCEVTMGR.EXE Svcs: ccEvtMgr

2016 NAVAPSVC.EXE Svcs: navapsvc

128 NISUM.EXE Svcs: NISUM

412 nvsvc32.exe Svcs: NVSvc

636 CCPXYSVC.EXE Svcs: ccPxySvc

1080 msmsgs.exe Title:

1352 iexplore.exe Title: SWI Forums -> Malware Removal - Microsoft Internet Explorer

2600 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2632 ntvdm.exe

2784 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64E7C4C7-8F84-4C25-81DE-6D45583DAB90}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFA45877-1A06-4E8F-9E8A-FADBF6FF865C}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Anv„ndare

(ID-IO) ALLOW Read BUILTIN\Anv„ndare

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Privilegierade anv„ndare

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Privilegierade anv„ndare

(ID-NI) ALLOW Full access BUILTIN\Administrat”rer

(ID-IO) ALLOW Full access BUILTIN\Administrat”rer

(ID-NI) ALLOW Full access NT INSTANS\SYSTEM

(ID-IO) ALLOW Full access NT INSTANS\SYSTEM

(ID-NI) ALLOW Full access MAXTOR\Johan

(ID-IO) ALLOW Full access SKAPARE ŽGARE

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Anv„ndare

QWCEN-DS-- BUILTIN\Privilegierade anv„ndare

Full access BUILTIN\Administrat”rer

Full access NT INSTANS\SYSTEM

Full access MAXTOR\Johan

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [MAXTOR\Johan], is a member of:

 

BUILTIN\Administratörer

\Everyone

 

User is a member of group MAXTOR\Ingen.

User is a member of group \Alla.

User is a member of group BUILTIN\Administratörer.

User is a member of group BUILTIN\Användare.

User is a member of group \LOKAL.

User is a member of group NT INSTANS\INTERAKTIV.

User is a member of group NT INSTANS\Autentiserade användare.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administratörer:(OI)(CI)F

NT INSTANS\SYSTEM:(OI)(CI)F

MAXTOR\Johan:F

SKAPARE ÄGARE:(OI)(CI)(IO)F

BUILTIN\Användare:(OI)(CI)R

BUILTIN\Användare:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Användare:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

C:\junkxxx\logiloi.dll BUILTIN\Administratörer:F

NT INSTANS\SYSTEM:F

MAXTOR\Johan:F

BUILTIN\Användare:R

 

 

»»File(s) in 'junkxxx' folder:

-ra-- W32i - - - - 57,344 05-21-2004 logiloi.dll

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

c185b36f9969d3a6d2122ba7cbc02249 logiloi.dll

 

57344 bytes, 1 ms = 54.69 MB/sec

 

»»hosts file Size: (Default/plain: ~732-4 bytes)

--a-- - - - - - 710 09-28-2001 oldhosts.txt

------

»»Rehash:

File: <C:\junkxxx\logiloi.dll>

 

CRC-32 : D5C9FB2E

 

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

 

E89EDB26 3B623462

 

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

 

AAEF452A 3CD2FAB3

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

 

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

 

C8BECB6F 2DB242DA 5945C134 A7E3D9B9

 

 

 

 

Fri Jun 04 19:53:57 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-04-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-04-2004 windows.txt

--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv

--a-- - - - - - 632 06-04-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Nice! :D

 

We can wrap up the hijacker following these steps:

 

--Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junkxxx\*.dll moved file

*Create zipped copy in the same folder: "junkxxx.zip"

*Open your email client with given addresses for submission!

 

--Drag the 'junkxxx.zip' and submit the

attachment to the specified addresses, ! , thanks

 

When done, Delete the "junkxxx.zip"

as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, you need to clear all the elements the hijacker

downloaded!

Run these tools (whether used before or not!), as

they should work properly now.

have them fix all problems:

*Ad-Aware 6 Build 181:

http://www.lavasoftusa.com/software/adaware/

 

*Latest reference file : 01R313 02.06.2004

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

http://www.lavahelp.com/howto/fullscan/index.html

 

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Feel free to post follow up hijackthis log when done!

Good luck :cool:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0