Jump to content


Photo

Many popups and about blank home page


  • Please log in to reply
16 replies to this topic

#1 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 June 2004 - 12:11 PM

:techsupport:

My computer is getting a ton of popups. I have used adware, spybot to clean it up and they keep comming back after I reboot the computer. The home page gets set to about:blank. I'm also getting shortcuts installed on my PC that are Instant Love Alert, Free Games-Cash Prizes, Discount Travel Specials. I have gone through your FAQ's and i'm still having this problem. This computer is behind a router with XP's firewall turned on. I have included my HijackThis log along with the Find All Log. Thanks for any help you can give me to get rid of this spyware.


Logfile of HijackThis v1.97.7
Scan saved at 12:01:31 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\PROGRA~1\STYLEJ~1\safelog.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Down Loads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: (no name) - {13DC7D8F-4E2E-4536-97AC-69130493059B} - C:\WINDOWS\System32\mgphba.dll
O3 - Toolbar: grid store - {F97F29B9-93C8-0ABE-6F57-8B991F6E0B07} - C:\PROGRA~1\CHICDE~1\BLUE WIN.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mp3 stupid] C:\PROGRA~1\STYLEJ~1\safelog.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB



--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--


Sun Jun 06 12:09:32 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (9029:3B15) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 114 814 558 208 [107G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F69D5A3B-03D1-498F-B057-8FE8138C569D}"=""


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
12:09am up 0 days, 0:18

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\ATAAMON.DLL +++ File read error
\\?\C:\WINDOWS\System32\ATAAMON.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
396 SMSS.EXE
444 CSRSS.EXE Title:
468 WINLOGON.EXE Title: NetDDE Agent
512 SERVICES.EXE Svcs: Eventlog,PlugPlay
524 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
704 SVCHOST.EXE Svcs: RpcSs
768 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S
NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl
admgr,w32tim
836 SVCHOST.EXE Svcs: Dnscache
860 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1088 RUNDLL32.EXE Title:
1184 LEXBCES.EXE Svcs: LexBceS
1212 SPOOLSV.EXE Svcs: Spooler
1248 LEXPPS.EXE Title:
1488 explorer.exe Title: Program Manager
1540 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
1560 Directcd.exe Title: DirectCD
1568 Support.exe Title: Support
1576 Realmon.exe Title: Realmon
1600 safelog.exe Title: windWWAA
1620 aoltray.exe Title:
1640 NotifyAlert.exe Title: WindowsFormsParkingWindow
1852 diagent.exe Title: Creative Diagnostics Agent
1904 ALG.EXE Svcs: ALG
1916 acsd.exe Svcs: AOL ACS
1940 CISVC.EXE Svcs: CiSvc
1980 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
2008 InoRpc.exe Svcs: InoRPC
2040 InoRT.exe Svcs: InoRT
136 InoTask.exe Svcs: InoTask
352 LogWatNT.exe Svcs: LogWatch
528 SVCHOST.EXE Svcs: stisvc
812 wanmpsvc.exe Svcs: WANMiniportService
1136 MsPMSPSv.exe Svcs: WMDM PMSP Service
2732 IEXPLORE.EXE Title: SWI Forums -> Posting New Topic - Microsoft Internet Explorer
4056 CIDAEMON.EXE
4076 CIDAEMON.EXE Title: OleMainThreadWndName
1816 notepad.exe Title: hijackthis.log - Notepad
3428 IEXPLORE.EXE Title: http://69.20.62.53/yyy3.html - Microsoft Internet Explorer
3632 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3748 NTVDM.EXE
3764 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13DC7D8F-4E2E-4536-97AC-69130493059B}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianZAITQ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5580

»»Group/user settings:


User: [D3C4S521\don ladas], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group D3C4S521\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
D3C4S521\don ladas:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 814 06-06-2004 hosts
------
»»Rehash:

»Strings found:

Sun Jun 06 12:09:43 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 12:48 PM

You have several issues. Follow these steps:

1.)
Download:
http://www.cexx.org/LSPFix.exe
Run, hit the "I know what Im doing" tab:
Select: "inetadpt.dll" (protocol handler) only for removal, remove
And restart computer when done!

2.)
Go to System32 folder, find and delete:
-inetadpt.dll
-cidrules.dll
-wincore.dll
-winhost32
-winupd.dll

3.)
Go to start/run/ copy and paste:
%temp%
Into the run box, hit 'ok.
When temp folder opens, delete entire contents of temp folder!

4.)
Start new text file, copy and paste the contents of the quote box into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft]


Save the text file as: (*Change to all files in 'types..) fix.reg
DoubleClick on 'fix.reg' file, hit yes on the prompt!

5.) Go to Add/remove programs and
look for "window Search" or "window searching"
entries, if/when found, uninstall!
Restart comuter, go to program files. find these
folders that start with:
CHICDE.........
STYLEJ..........
Delete if there.

6.)
Download this tool:

http://downloads.sub...g/VX2Finder.exe

Scan, save the results and post them here
along with another hijackthis log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 June 2004 - 01:46 PM

Thanks for the help. Their is one file in the Temp folder that I can't delete it is PErFib_Perfdata_640.dat it says it is in use. Also I didn't find any folders that start with CHICDE......... or STYLEJ.......... When I rebooted the compter in the steps you told me the about:blank still came back. Some of the pop pages I get are Eterm, are performance page. Here are the logs you requested. Thanks again for the help.

VX2Finder Logs
Files Found---
C:\WINDOWS\System32\6iO4SVC.DLL
C:\WINDOWS\System32\6qO4SVC.DLL
C:\WINDOWS\System32\6zO4SVC.DLL
C:\WINDOWS\System32\AaMPARSE.DLL
C:\WINDOWS\System32\AdAAMON.DLL
C:\WINDOWS\System32\AoTXPRXY.DLL
C:\WINDOWS\System32\ApAAMON.DLL
C:\WINDOWS\System32\AtAAMON.DLL
C:\WINDOWS\System32\AvMPARSE.DLL


Guardian Key--- is called: GuardianUXMQJ
Asynchronous 000
DllName C:\WINDOWS\system32\AtAAMON.DLL
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {F69D5A3B-03D1-498F-B057-8FE8138C569D}
IDex DS4

User Agent String---
{F69D5A3B-03D1-498F-B057-8FE8138C569D}


Logfile of HijackThis v1.97.7
Scan saved at 1:38:39 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Down Loads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: (no name) - {AF7A9A99-1D29-4991-8D1B-1B21DD07428F} - C:\WINDOWS\System32\mgphba.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 01:56 PM

For previous steps #2+3+4 , download: "VX2cleaner.zip"
from the 'Find-All page' link in my signature ,
unzip and run the '!Clean.bat' file inside!

Post the log when done!

(*Manually delete 'inetadpt.dll' when done with step#1)

Your 'AboutBlank' issue can't be cured as long as you
have the other pests!

Now, use the VX2finder, select all files on the scan and delete!
You will be prompted to restart on one file to complete the process!
Restart, rescan and be sure no files are showing in the
Files Found---
Section!
Lastly, use the left tabs and click:
*Restore policy
*Guardian.reg key
*user agent!

In hijackthis fix checked:
*O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
*O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab


Restart your computer again scan and post the logs from:
-Find-All.cmd
-VX2cleaner (!Clean.bat)
-VX2finder

Edited by freeatlast, 06 June 2004 - 02:00 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 June 2004 - 02:23 PM

Here you go. Thanks.

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--


Sun Jun 06 14:20:50 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (9029:3B15) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 114 878 148 608 [107G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
2:20pm up 0 days, 0:01

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
404 SMSS.EXE
452 CSRSS.EXE Title:
476 WINLOGON.EXE Title: NetDDE Agent
520 SERVICES.EXE Svcs: Eventlog,PlugPlay
532 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
712 SVCHOST.EXE Svcs: RpcSs
764 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S
NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl
admgr,w32tim
844 SVCHOST.EXE Svcs: Dnscache
864 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1156 explorer.exe Title: Program Manager
1188 LEXBCES.EXE Svcs: LexBceS
1224 SPOOLSV.EXE Svcs: Spooler
1260 LEXPPS.EXE Title:
1368 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
1396 Directcd.exe Title: DirectCD
1404 Support.exe Title: Support
1436 Realmon.exe Title: Realmon
1508 aoltray.exe Title:
1520 NotifyAlert.exe Title: WindowsFormsParkingWindow
1740 diagent.exe Title: Creative Diagnostics Agent
1748 IEXPLORE.EXE Title: Welcome to the System Performance Wizard - Microsoft Internet Explorer
1868 ALG.EXE Svcs: ALG
1880 acsd.exe Svcs: AOL ACS
1908 CISVC.EXE Svcs: CiSvc
1948 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
1976 InoRpc.exe Svcs: InoRPC
1996 InoRT.exe Svcs: InoRT
2008 InoTask.exe Svcs: InoTask
264 LogWatNT.exe Svcs: LogWatch
368 SVCHOST.EXE Svcs: stisvc
756 wanmpsvc.exe Svcs: WANMiniportService
860 MsPMSPSv.exe Svcs: WMDM PMSP Service
2588 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2628 NTVDM.EXE
2684 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7A9A99-1D29-4991-8D1B-1B21DD07428F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»Group/user settings:


User: [D3C4S521\don ladas], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group D3C4S521\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
D3C4S521\don ladas:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 814 06-06-2004 hosts
------
»»Rehash:

»Strings found:

Sun Jun 06 14:21:00 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


VX2Cleaner
Sun Jun 06 14:21:52 2004 -- done!..deleted 'TargetSoft' files, cleaned registry keys...restored 'home page'...


VXFiles Found---


Guardian Key--- is called:

User Agent String---
2Finder

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 02:46 PM

Well done, so far!
One pest is gone ;)

Next--
-FIRST--
And before doing anything else, go to System
Restore, make sure it's active and create manual restore
point as safety procedure.

Next, follow these steps carefully:

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ CTLLPOJ.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

---Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 June 2004 - 10:40 PM

Sorry it took so long to answer had a graduation party to go to. I didn't find the CTLLPOJ.DLL on this computer. But I do have the C:\junkxxx folder.

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--


Sun Jun 06 22:39:03 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (9029:3B15) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 114 830 626 816 [107G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
10:39pm up 0 days, 0:05

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
400 SMSS.EXE
448 CSRSS.EXE Title:
472 WINLOGON.EXE Title: NetDDE Agent
516 SERVICES.EXE Svcs: Eventlog,PlugPlay
528 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
708 SVCHOST.EXE Svcs: RpcSs
760 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S
NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl
admgr,w32tim
848 SVCHOST.EXE Svcs: Dnscache
860 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1160 explorer.exe Title: Program Manager
1188 LEXBCES.EXE Svcs: LexBceS
1224 SPOOLSV.EXE Svcs: Spooler
1260 LEXPPS.EXE Title:
1372 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
1400 Directcd.exe Title: DirectCD
1420 Support.exe Title: Support
1460 Realmon.exe Title: Realmon
1496 NotifyAlert.exe Title: WindowsFormsParkingWindow
1520 aoltray.exe Title:
1756 diagent.exe Title: Creative Diagnostics Agent
1832 ALG.EXE Svcs: ALG
1844 acsd.exe Svcs: AOL ACS
1872 CISVC.EXE Svcs: CiSvc
1908 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
1940 InoRpc.exe Svcs: InoRPC
1960 InoRT.exe Svcs: InoRT
1976 InoTask.exe Svcs: InoTask
204 LogWatNT.exe Svcs: LogWatch
436 SVCHOST.EXE Svcs: stisvc
252 wanmpsvc.exe Svcs: WANMiniportService
832 MsPMSPSv.exe Svcs: WMDM PMSP Service
2116 IEXPLORE.EXE Title: SWI Forums -> Many popups and about blank home page - Microsoft Internet Explorer
2908 CIDAEMON.EXE
2928 CIDAEMON.EXE
3020 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3060 NTVDM.EXE
3104 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7A9A99-1D29-4991-8D1B-1B21DD07428F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access D3C4S521\don ladas
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access D3C4S521\don ladas




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»Group/user settings:


User: [D3C4S521\don ladas], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group D3C4S521\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
D3C4S521\don ladas:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 814 06-06-2004 hosts
------
»»Rehash:

»Strings found:

Sun Jun 06 22:39:13 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 June 2004 - 01:47 PM

hmm... Not good!

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error


I see you are running XP 'home' edition.

There are various issues (and files) that affect it differently.

The file listed above is completely hidden!
You will only be able to find it while the
data in the 'AppInit_DLLs' value is gone...

Repeat the same steps in my previous post once again,
but in Safe mode!
Confirm them by openning regedit after restart, and
looking if the AppInit_DLLs value exists!
(you will not see any data listed in it...)

If it's loaded again after restart, follow these steps instead:

*In regedit open the same 'Windows' key.
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)

*RightClick on the Windows Subfolder,
And rename Windows as Windows1

**Restart computer!!!
(That key won't be loaded)

*After restart, Find:
C:\WINDOWS\System32\*CTLLPOJ.DLL
as it should be visible, and
use the folder's top menu
option : "Edit-> Move to folder..."
*Browse to and select: C:\junkxxx folder
'ok' it.

*Open regedit to the same key:
*Rename the Windows1 back to it's
original name, Windows

*RightClick on 'AppInit_Dlls' Value(only)
on the right pane and delete.

*Re-run 'Find-All.cmd and post the log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 06:56 PM

OK I have the CTLLPOJ.DLL moved to the C:\junkxxx folder. Here are my new logs. Thanks again.



--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--


Mon Jun 07 18:21:47 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (9029:3B15) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 114 819 887 104 [107G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
6:21pm up 0 days, 0:09

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
396 SMSS.EXE
444 CSRSS.EXE Title:
468 WINLOGON.EXE Title: NetDDE Agent
512 SERVICES.EXE Svcs: Eventlog,PlugPlay
524 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
704 SVCHOST.EXE Svcs: RpcSs
760 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S
NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl
admgr,w32tim
936 SVCHOST.EXE Svcs: Dnscache
980 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1108 explorer.exe Title: Program Manager
1192 LEXBCES.EXE Svcs: LexBceS
1228 SPOOLSV.EXE Svcs: Spooler
1264 LEXPPS.EXE Title:
1372 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
1408 Directcd.exe Title: DirectCD
1416 Support.exe Title: Support
1424 Realmon.exe Title: Realmon
1440 CsRemnd.exe
1468 aoltray.exe Title:
1532 NotifyAlert.exe Title: WindowsFormsParkingWindow
1720 diagent.exe Title: Creative Diagnostics Agent
1844 ALG.EXE Svcs: ALG
1856 acsd.exe Svcs: AOL ACS
1880 CISVC.EXE Svcs: CiSvc
1920 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access
1952 InoRpc.exe Svcs: InoRPC
1976 InoRT.exe Svcs: InoRT
1988 InoTask.exe Svcs: InoTask
212 LogWatNT.exe Svcs: LogWatch
356 SVCHOST.EXE Svcs: stisvc
420 wanmpsvc.exe Svcs: WANMiniportService
864 MsPMSPSv.exe Svcs: WMDM PMSP Service
3240 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3276 NTVDM.EXE
3348 CIDAEMON.EXE
3376 CIDAEMON.EXE Title: OleMainThreadWndName
3424 TASKMGR.EXE Title: Windows Task Manager
3468 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7A9A99-1D29-4991-8D1B-1B21DD07428F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access D3C4S521\Administrator
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access D3C4S521\Administrator




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

»»Group/user settings:


User: [D3C4S521\don ladas], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group D3C4S521\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
D3C4S521\don ladas:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 814 06-06-2004 hosts
------
»»Rehash:

»Strings found:

Mon Jun 07 18:22:07 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-07-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-07-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-06-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 June 2004 - 07:26 PM

Where is the file, exactly? :scratchhead:

OK I have the CTLLPOJ.DLL
moved to the C:\junkxxx folder.
-Here are my new logs

------------------------------------------------



ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

0 bytes, 0 ms = 0.00 MB/sec




Can you go to: C:\junkxxx and specify it's
current contents?

If you deleted the file, specify
as well , as some of the next steps will not work properly!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 07:48 PM

The C:\junkxxx folder has nothing in it. I also went into safe mode and the folder has nothing in it. I followed your last set of instructions and have deleted nothing.

After restart, Find:
C:\WINDOWS\System32\*CTLLPOJ.DLL
as it should be visible, and
use the folder's top menu
option : "Edit-> Move to folder..."
*Browse to and select: C:\junkxxx folder
'ok' it.

#12 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 07:50 PM

I also did a search for CTLLPOJ.DLL and it is not on the computer. Thanks

#13 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 09:00 PM

I found where the CTLLPOJ.DLL file went my virus protection deleted it. It was marked as win32/agent.j.downloader.trojan.

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 June 2004 - 09:33 PM

That's what I thought! :D

You can proceed with the last set of steps now!

---Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults

*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks


When done, Delete the "junkxxx.zip" and the 'Find-All folder(s)!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker
downloaded!
Run these tools (whether used before or not!), as
they should work properly now.
have them fix all problems:
*Ad-Aware 6 Build 181:
http://www.lavasoftu...ftware/adaware/

*Latest reference file :
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181
http://www.lavahelp....scan/index.html

http://www.spywarein.../CWShredder.exe


*Ignore the submission part! Obviously there is nothing to submit!
Feel free to post another hijackthis log when done! ;)
(well done so far!)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 10:20 PM

freeatlast here is my HijackThis log file. Thanks for all the help so far. This place is the best. Do you see any thing else I should worried about. Again thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 10:17:02 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB

#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 June 2004 - 11:12 PM

Fix these:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
*O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

Reboot and delete the Program Files\"CasinoOnline" Subfolder!

All's well, otherwise! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 flyinfry

flyinfry

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 June 2004 - 06:34 PM

freeatlast just wanted to say thanks for helping remove the spy ware. You and this forum are great. It’s nice to have a place to get help with this pain in the butt spy ware. Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button