Jump to content


Photo

Desperatly need help to remove CWS


  • Please log in to reply
6 replies to this topic

#1 Turbo123

Turbo123

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 04 June 2004 - 11:40 AM

:wtf:

I have fought against CWS for a month now.
Have tried Adaware, Spybot, CWSshredder and so on.
Nothing seems to work, it keeps poping up.

I have the "version" of cws that change my startpage in IE and creates popups.

PLEASE HELP!

Logfile of HijackThis v1.97.7
Scan saved at 18:36:53, on 2004-06-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Norton Internet Security\ccPxySvc.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Creative\Prodikeys\Prodload.exe
C:\Program\D-Tools\daemon.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Internet Explorer\iexplore.exe
G:\Download\Program\säkerhet\hijackthis\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc.../search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {64E7C4C7-8F84-4C25-81DE-6D45583DAB90} - C:\WINDOWS\System32\gipk.dll (file missing)
O2 - BHO: (no name) - {A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E} - C:\WINDOWS\System32\pbnn.dll (file missing)
O2 - BHO: (no name) - {AFA45877-1A06-4E8F-9E8A-FADBF6FF865C} - C:\WINDOWS\System32\mcnjma.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ProdikeysAutorun] C:\Program\Creative\Prodikeys\Prodload.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8077.5704050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A802FC7-B4DF-4DB5-8A7C-6AA57F43D94D}: NameServer = 212.181.52.2,212.181.52.3,194.236.29.2

Edited by Turbo123, 04 June 2004 - 11:41 AM.


#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 11:54 AM

In hijackthis fix checked:

*O2 - BHO: (no name) - {A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E} - C:\WINDOWS\System32\pbnn.dll (file missing)
*O2 - BHO: (no name) - {AFA45877-1A06-4E8F-9E8A-FADBF6FF865C} - C:\WINDOWS\System32\mcnjma.dll (file missing)

Download: "Find-All.exe" from any of the links in my signature.
Install, Run the included 'FIND-ALL.CMD' file, post the log here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Turbo123

Turbo123

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 04 June 2004 - 12:09 PM

I have deleted the two keys you named.

Here is my find-all log:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Fri Jun 04 19:04:53 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (947E:0B39) - FS:NTFS clusters:4k
Total: 31 453 437 952 [29G] - Free: 20 599 267 328 [19G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program\Internet Explorer\Iexplore.exe
--a-- W32i APP SVE 6.0.2800.1106 shp 91,136 09-09-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program\Windows Media Player\wmplayer.exe
--a-- W32i APP SVE 9.0.0.2980 shp 73,728 12-20-2002 wmplayer.exe
6.4.9.1125 C:\Program\Windows Media Player\mplayer2.exe
--a-- W32i APP SVE 6.4.9.1125 shp 4,639 09-09-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP SVE 5.1.2600.1106 shp 136,192 09-09-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 09-28-2001 regedt32.exe


»»PC uptime:
7:04pm up 0 days, 0:44

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOGILOI.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGILOI.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
664 smss.exe
720 csrss.exe Title:
744 winlogon.exe Title: NetDDE Agent
804 services.exe Svcs: Eventlog,PlugPlay
816 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
1012 svchost.exe Svcs: RpcSs
1072 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec
ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,wuau
1176 svchost.exe Svcs: Dnscache
1240 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1424 spoolsv.exe Svcs: Spooler
1740 explorer.exe Title: Program Manager
1912 CCEVTMGR.EXE Svcs: ccEvtMgr
1960 NAVAPSVC.EXE Svcs: navapsvc
204 NISUM.EXE Svcs: NISUM
376 nvsvc32.exe Svcs: NVSvc
572 CCPXYSVC.EXE Svcs: ccPxySvc
1520 ccApp.exe Title: Norton AntiVirus
1636 ICQLite.exe Title: 14755035
1660 ProdLoad.exe Title: Hot Keys Configuration
1668 daemon.exe Title: Virtual DAEMON Manager V3.33
1704 qttask.exe Title: QTPlayer Tray Icon
1560 ctfmon.exe Title:
2176 msmsgs.exe Title:
2392 iexplore.exe Title: SWI Forums -> Desperatly need help to remove CWS - Microsoft Internet Explorer
4008 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
4088 ntvdm.exe
1156 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64E7C4C7-8F84-4C25-81DE-6D45583DAB90}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFA45877-1A06-4E8F-9E8A-FADBF6FF865C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Anv„ndare
(IO) ALLOW Read BUILTIN\Anv„ndare
(NI) ALLOW Read BUILTIN\Privilegierade anv„ndare
(IO) ALLOW Read BUILTIN\Privilegierade anv„ndare
(NI) ALLOW Full access BUILTIN\Administrat”rer
(IO) ALLOW Full access BUILTIN\Administrat”rer
(NI) ALLOW Full access NT INSTANS\SYSTEM
(IO) ALLOW Full access NT INSTANS\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrat”rer
(IO) ALLOW Full access SKAPARE ŽGARE

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Anv„ndare
Read BUILTIN\Privilegierade anv„ndare
Full access BUILTIN\Administrat”rer
Full access NT INSTANS\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [MAXTOR\Johan], is a member of:

BUILTIN\Administratörer
\Everyone

User is a member of group MAXTOR\Ingen.
User is a member of group \Alla.
User is a member of group BUILTIN\Administratörer.
User is a member of group BUILTIN\Användare.
User is a member of group \LOKAL.
User is a member of group NT INSTANS\INTERAKTIV.
User is a member of group NT INSTANS\Autentiserade användare.

»»ACLs list:
C:\junkxxx BUILTIN\Administratörer:(OI)(CI)F
NT INSTANS\SYSTEM:(OI)(CI)F
MAXTOR\Johan:F
SKAPARE ÄGARE:(OI)(CI)(IO)F
BUILTIN\Användare:(OI)(CI)R
BUILTIN\Användare:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Användare:(CI)(special access:)

FILE_WRITE_DATA


ERROR: Det finns inga fler filer.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
--a-- - - - - - 710 09-28-2001 oldhosts.txt
------
»»Rehash:

Fri Jun 04 19:05:03 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-04-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-04-2004 windows.txt
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
--a-- - - - - - 632 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows




----------------------------
---------------------------

AND HERE IS MY HIJACK LOG
after I deleted the two reg keys.

Logfile of HijackThis v1.97.7
Scan saved at 19:07:21, on 2004-06-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Norton Internet Security\ccPxySvc.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Creative\Prodikeys\Prodload.exe
C:\Program\D-Tools\daemon.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\regedit.exe
G:\Download\Program\säkerhet\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gipk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc.../search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {64E7C4C7-8F84-4C25-81DE-6D45583DAB90} - C:\WINDOWS\System32\gipk.dll (file missing)
O2 - BHO: (no name) - {A376B9F0-7A11-4A53-BC8F-04E48DE3AF4E} - (no file)
O2 - BHO: (no name) - {AFA45877-1A06-4E8F-9E8A-FADBF6FF865C} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ProdikeysAutorun] C:\Program\Creative\Prodikeys\Prodload.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8077.5704050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A802FC7-B4DF-4DB5-8A7C-6AA57F43D94D}: NameServer = 212.181.52.2,212.181.52.3,194.236.29.2

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 12:24 PM

You seem to have the 'classic' pest there!

-FIRST--
And before doing anything else, go to System
Restore, make sure it's active and create manual restore
point as safety procedure.

Next, follow these steps carefully:

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ LOGILOI.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

---Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Turbo123

Turbo123

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 04 June 2004 - 12:54 PM

Did what you told me!

Here´s my log again:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Fri Jun 04 19:53:51 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (947E:0B39) - FS:NTFS clusters:4k
Total: 31 453 437 952 [29G] - Free: 20 604 035 072 [19G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program\Internet Explorer\Iexplore.exe
--a-- W32i APP SVE 6.0.2800.1106 shp 91,136 09-09-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program\Windows Media Player\wmplayer.exe
--a-- W32i APP SVE 9.0.0.2980 shp 73,728 12-20-2002 wmplayer.exe
6.4.9.1125 C:\Program\Windows Media Player\mplayer2.exe
--a-- W32i APP SVE 6.4.9.1125 shp 4,639 09-09-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP SVE 5.1.2600.0 shp 66,560 06-01-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP SVE 5.1.2600.1106 shp 136,192 09-09-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 09-28-2001 regedt32.exe


»»PC uptime:
7:53pm up 0 days, 0:02

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junkxxx\LOGILOI.DLL


»»Tasks (services):
0 System Process
4 System
664 smss.exe
720 csrss.exe Title:
744 winlogon.exe Title: NetDDE Agent
788 services.exe Svcs: Eventlog,PlugPlay
800 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
960 svchost.exe Svcs: RpcSs
1008 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec
ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,wuau
1112 svchost.exe Svcs: Dnscache
1164 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1316 spoolsv.exe Svcs: Spooler
1592 explorer.exe Title: Program Manager
1724 ccApp.exe Title: Norton AntiVirus
1768 ICQLite.exe Title: FBServiceTimer
1792 ProdLoad.exe Title: Hot Keys Configuration
1828 daemon.exe Title: Virtual DAEMON Manager V3.33
1836 qttask.exe Title: QTPlayer Tray Icon
1844 ctfmon.exe Title:
1976 CCEVTMGR.EXE Svcs: ccEvtMgr
2016 NAVAPSVC.EXE Svcs: navapsvc
128 NISUM.EXE Svcs: NISUM
412 nvsvc32.exe Svcs: NVSvc
636 CCPXYSVC.EXE Svcs: ccPxySvc
1080 msmsgs.exe Title:
1352 iexplore.exe Title: SWI Forums -> Malware Removal - Microsoft Internet Explorer
2600 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2632 ntvdm.exe
2784 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64E7C4C7-8F84-4C25-81DE-6D45583DAB90}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFA45877-1A06-4E8F-9E8A-FADBF6FF865C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Anv„ndare
(ID-IO) ALLOW Read BUILTIN\Anv„ndare
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Privilegierade anv„ndare
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Privilegierade anv„ndare
(ID-NI) ALLOW Full access BUILTIN\Administrat”rer
(ID-IO) ALLOW Full access BUILTIN\Administrat”rer
(ID-NI) ALLOW Full access NT INSTANS\SYSTEM
(ID-IO) ALLOW Full access NT INSTANS\SYSTEM
(ID-NI) ALLOW Full access MAXTOR\Johan
(ID-IO) ALLOW Full access SKAPARE ŽGARE

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Anv„ndare
QWCEN-DS-- BUILTIN\Privilegierade anv„ndare
Full access BUILTIN\Administrat”rer
Full access NT INSTANS\SYSTEM
Full access MAXTOR\Johan




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Group/user settings:


User: [MAXTOR\Johan], is a member of:

BUILTIN\Administratörer
\Everyone

User is a member of group MAXTOR\Ingen.
User is a member of group \Alla.
User is a member of group BUILTIN\Administratörer.
User is a member of group BUILTIN\Användare.
User is a member of group \LOKAL.
User is a member of group NT INSTANS\INTERAKTIV.
User is a member of group NT INSTANS\Autentiserade användare.

»»ACLs list:
C:\junkxxx BUILTIN\Administratörer:(OI)(CI)F
NT INSTANS\SYSTEM:(OI)(CI)F
MAXTOR\Johan:F
SKAPARE ÄGARE:(OI)(CI)(IO)F
BUILTIN\Användare:(OI)(CI)R
BUILTIN\Användare:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Användare:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\logiloi.dll BUILTIN\Administratörer:F
NT INSTANS\SYSTEM:F
MAXTOR\Johan:F
BUILTIN\Användare:R


»»File(s) in 'junkxxx' folder:
-ra-- W32i - - - - 57,344 05-21-2004 logiloi.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 logiloi.dll

57344 bytes, 1 ms = 54.69 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
--a-- - - - - - 710 09-28-2001 oldhosts.txt
------
»»Rehash:
File: <C:\junkxxx\logiloi.dll>

CRC-32 : D5C9FB2E

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9




Fri Jun 04 19:53:57 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-04-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-04-2004 windows.txt
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
--a-- - - - - - 632 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 01:17 PM

Nice! :D

We can wrap up the hijacker following these steps:

--Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker
downloaded!
Run these tools (whether used before or not!), as
they should work properly now.
have them fix all problems:
*Ad-Aware 6 Build 181:
http://www.lavasoftu...ftware/adaware/

*Latest reference file : 01R313 02.06.2004
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181
http://www.lavahelp....scan/index.html

http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck :cool:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 Turbo123

Turbo123

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 04 June 2004 - 01:25 PM

Thanks a lot!!!!!!!!! :bounce:

;D ;D ;D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button