• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
flyinfry

Many popups and about blank home page

17 posts in this topic

:techsupport:

 

My computer is getting a ton of popups. I have used adware, spybot to clean it up and they keep comming back after I reboot the computer. The home page gets set to about:blank. I'm also getting shortcuts installed on my PC that are Instant Love Alert, Free Games-Cash Prizes, Discount Travel Specials. I have gone through your FAQ's and i'm still having this problem. This computer is behind a router with XP's firewall turned on. I have included my HijackThis log along with the Find All Log. Thanks for any help you can give me to get rid of this spyware.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:01:31 PM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\PROGRA~1\STYLEJ~1\safelog.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINDOWS\LogWatNT.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Down Loads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe

O2 - BHO: (no name) - {13DC7D8F-4E2E-4536-97AC-69130493059B} - C:\WINDOWS\System32\mgphba.dll

O3 - Toolbar: grid store - {F97F29B9-93C8-0ABE-6F57-8B991F6E0B07} - C:\PROGRA~1\CHICDE~1\BLUE WIN.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mp3 stupid] C:\PROGRA~1\STYLEJ~1\safelog.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

 

 

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--

 

 

Sun Jun 06 12:09:32 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (9029:3B15) - FS:NTFS clusters:4k

Total: 119 957 479 424 [112G] - Free: 114 814 558 208 [107G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{F69D5A3B-03D1-498F-B057-8FE8138C569D}"=""

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

12:09am up 0 days, 0:18

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\ATAAMON.DLL +++ File read error

\\?\C:\WINDOWS\System32\ATAAMON.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

396 SMSS.EXE

444 CSRSS.EXE Title:

468 WINLOGON.EXE Title: NetDDE Agent

512 SERVICES.EXE Svcs: Eventlog,PlugPlay

524 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

704 SVCHOST.EXE Svcs: RpcSs

768 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S

NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl

admgr,w32tim

836 SVCHOST.EXE Svcs: Dnscache

860 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1088 RUNDLL32.EXE Title:

1184 LEXBCES.EXE Svcs: LexBceS

1212 SPOOLSV.EXE Svcs: Spooler

1248 LEXPPS.EXE Title:

1488 explorer.exe Title: Program Manager

1540 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

1560 Directcd.exe Title: DirectCD

1568 Support.exe Title: Support

1576 Realmon.exe Title: Realmon

1600 safelog.exe Title: windWWAA

1620 aoltray.exe Title:

1640 NotifyAlert.exe Title: WindowsFormsParkingWindow

1852 diagent.exe Title: Creative Diagnostics Agent

1904 ALG.EXE Svcs: ALG

1916 acsd.exe Svcs: AOL ACS

1940 CISVC.EXE Svcs: CiSvc

1980 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access

2008 InoRpc.exe Svcs: InoRPC

2040 InoRT.exe Svcs: InoRT

136 InoTask.exe Svcs: InoTask

352 LogWatNT.exe Svcs: LogWatch

528 SVCHOST.EXE Svcs: stisvc

812 wanmpsvc.exe Svcs: WANMiniportService

1136 MsPMSPSv.exe Svcs: WMDM PMSP Service

2732 IEXPLORE.EXE Title: SWI Forums -> Posting New Topic - Microsoft Internet Explorer

4056 CIDAEMON.EXE

4076 CIDAEMON.EXE Title: OleMainThreadWndName

1816 notepad.exe Title: hijackthis.log - Notepad

3428 IEXPLORE.EXE Title: http://69.20.62.53/yyy3.html - Microsoft Internet Explorer

3632 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

3748 NTVDM.EXE

3764 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13DC7D8F-4E2E-4536-97AC-69130493059B}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianZAITQ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5580

 

»»Group/user settings:

 

 

User: [D3C4S521\don ladas], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group D3C4S521\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

D3C4S521\don ladas:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 814 06-06-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 06 12:09:43 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-06-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-06-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Share this post


Link to post
Share on other sites

You have several issues. Follow these steps:

 

1.)

Download:

http://www.cexx.org/LSPFix.exe

Run, hit the "I know what Im doing" tab:

Select: "inetadpt.dll" (protocol handler) only for removal, remove

And restart computer when done!

 

2.)

Go to System32 folder, find and delete:

-inetadpt.dll

-cidrules.dll

-wincore.dll

-winhost32

-winupd.dll

 

3.)

Go to start/run/ copy and paste:

%temp%

Into the run box, hit 'ok.

When temp folder opens, delete entire contents of temp folder!

 

4.)

Start new text file, copy and paste the contents of the quote box into it:

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft]

 

Save the text file as: (*Change to all files in 'types..) fix.reg

DoubleClick on 'fix.reg' file, hit yes on the prompt!

 

5.) Go to Add/remove programs and

look for "window Search" or "window searching"

entries, if/when found, uninstall!

Restart comuter, go to program files. find these

folders that start with:

CHICDE.........

STYLEJ..........

Delete if there.

 

6.)

Download this tool:

 

http://downloads.subratam.org/VX2Finder.exe

 

Scan, save the results and post them here

along with another hijackthis log!

Share this post


Link to post
Share on other sites

Thanks for the help. Their is one file in the Temp folder that I can't delete it is PErFib_Perfdata_640.dat it says it is in use. Also I didn't find any folders that start with CHICDE......... or STYLEJ.......... When I rebooted the compter in the steps you told me the about:blank still came back. Some of the pop pages I get are Eterm, are performance page. Here are the logs you requested. Thanks again for the help.

 

VX2Finder Logs

Files Found---

C:\WINDOWS\System32\6iO4SVC.DLL

C:\WINDOWS\System32\6qO4SVC.DLL

C:\WINDOWS\System32\6zO4SVC.DLL

C:\WINDOWS\System32\AaMPARSE.DLL

C:\WINDOWS\System32\AdAAMON.DLL

C:\WINDOWS\System32\AoTXPRXY.DLL

C:\WINDOWS\System32\ApAAMON.DLL

C:\WINDOWS\System32\AtAAMON.DLL

C:\WINDOWS\System32\AvMPARSE.DLL

 

 

Guardian Key--- is called: GuardianUXMQJ

Asynchronous 000

DllName C:\WINDOWS\system32\AtAAMON.DLL

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {F69D5A3B-03D1-498F-B057-8FE8138C569D}

IDex DS4

 

User Agent String---

{F69D5A3B-03D1-498F-B057-8FE8138C569D}

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:38:39 PM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINDOWS\LogWatNT.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\notepad.exe

C:\Down Loads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mgphba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe

O2 - BHO: (no name) - {AF7A9A99-1D29-4991-8D1B-1B21DD07428F} - C:\WINDOWS\System32\mgphba.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

Share this post


Link to post
Share on other sites

For previous steps #2+3+4 , download: "VX2cleaner.zip"

from the 'Find-All page' link in my signature ,

unzip and run the '!Clean.bat' file inside!

 

Post the log when done!

 

(*Manually delete 'inetadpt.dll' when done with step#1)

 

Your 'AboutBlank' issue can't be cured as long as you

have the other pests!

 

Now, use the VX2finder, select all files on the scan and delete!

You will be prompted to restart on one file to complete the process!

Restart, rescan and be sure no files are showing in the

Files Found---

Section!

Lastly, use the left tabs and click:

*Restore policy

*Guardian.reg key

*user agent!

 

In hijackthis fix checked:

*O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

*O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

 

 

Restart your computer again scan and post the logs from:

-Find-All.cmd

-VX2cleaner (!Clean.bat)

-VX2finder

Edited by freeatlast

Share this post


Link to post
Share on other sites

Here you go. Thanks.

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--

 

 

Sun Jun 06 14:20:50 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (9029:3B15) - FS:NTFS clusters:4k

Total: 119 957 479 424 [112G] - Free: 114 878 148 608 [107G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

2:20pm up 0 days, 0:01

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error

\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

404 SMSS.EXE

452 CSRSS.EXE Title:

476 WINLOGON.EXE Title: NetDDE Agent

520 SERVICES.EXE Svcs: Eventlog,PlugPlay

532 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

712 SVCHOST.EXE Svcs: RpcSs

764 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S

NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl

admgr,w32tim

844 SVCHOST.EXE Svcs: Dnscache

864 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1156 explorer.exe Title: Program Manager

1188 LEXBCES.EXE Svcs: LexBceS

1224 SPOOLSV.EXE Svcs: Spooler

1260 LEXPPS.EXE Title:

1368 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

1396 Directcd.exe Title: DirectCD

1404 Support.exe Title: Support

1436 Realmon.exe Title: Realmon

1508 aoltray.exe Title:

1520 NotifyAlert.exe Title: WindowsFormsParkingWindow

1740 diagent.exe Title: Creative Diagnostics Agent

1748 IEXPLORE.EXE Title: Welcome to the System Performance Wizard - Microsoft Internet Explorer

1868 ALG.EXE Svcs: ALG

1880 acsd.exe Svcs: AOL ACS

1908 CISVC.EXE Svcs: CiSvc

1948 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access

1976 InoRpc.exe Svcs: InoRPC

1996 InoRT.exe Svcs: InoRT

2008 InoTask.exe Svcs: InoTask

264 LogWatNT.exe Svcs: LogWatch

368 SVCHOST.EXE Svcs: stisvc

756 wanmpsvc.exe Svcs: WANMiniportService

860 MsPMSPSv.exe Svcs: WMDM PMSP Service

2588 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

2628 NTVDM.EXE

2684 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7A9A99-1D29-4991-8D1B-1B21DD07428F}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»Group/user settings:

 

 

User: [D3C4S521\don ladas], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group D3C4S521\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

D3C4S521\don ladas:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 814 06-06-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 06 14:21:00 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-06-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-06-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

 

VX2Cleaner

Sun Jun 06 14:21:52 2004 -- done!..deleted 'TargetSoft' files, cleaned registry keys...restored 'home page'...

 

 

VXFiles Found---

 

 

Guardian Key--- is called:

 

User Agent String---

2Finder

Share this post


Link to post
Share on other sites

Well done, so far!

One pest is gone ;)

 

Next--

-FIRST--

And before doing anything else, go to System

Restore, make sure it's active and create manual restore

point as safety procedure.

 

Next, follow these steps carefully:

 

Your Windows registry is set to open this key directly:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

 

--Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

--RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

--Locate "AppInit_DLLs" value on the right

pane, RightClick it and select -> 'delete'

 

--Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

--Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

--Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ CTLLPOJ.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junkxxx folder.

(It was created during first 'Find-All' run)

'ok' it.

 

---Re-run 'Find-All.cmd' and post new log!

Share this post


Link to post
Share on other sites

Sorry it took so long to answer had a graduation party to go to. I didn't find the CTLLPOJ.DLL on this computer. But I do have the C:\junkxxx folder.

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--

 

 

Sun Jun 06 22:39:03 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (9029:3B15) - FS:NTFS clusters:4k

Total: 119 957 479 424 [112G] - Free: 114 830 626 816 [107G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

10:39pm up 0 days, 0:05

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error

\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

400 SMSS.EXE

448 CSRSS.EXE Title:

472 WINLOGON.EXE Title: NetDDE Agent

516 SERVICES.EXE Svcs: Eventlog,PlugPlay

528 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

708 SVCHOST.EXE Svcs: RpcSs

760 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S

NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl

admgr,w32tim

848 SVCHOST.EXE Svcs: Dnscache

860 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1160 explorer.exe Title: Program Manager

1188 LEXBCES.EXE Svcs: LexBceS

1224 SPOOLSV.EXE Svcs: Spooler

1260 LEXPPS.EXE Title:

1372 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

1400 Directcd.exe Title: DirectCD

1420 Support.exe Title: Support

1460 Realmon.exe Title: Realmon

1496 NotifyAlert.exe Title: WindowsFormsParkingWindow

1520 aoltray.exe Title:

1756 diagent.exe Title: Creative Diagnostics Agent

1832 ALG.EXE Svcs: ALG

1844 acsd.exe Svcs: AOL ACS

1872 CISVC.EXE Svcs: CiSvc

1908 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access

1940 InoRpc.exe Svcs: InoRPC

1960 InoRT.exe Svcs: InoRT

1976 InoTask.exe Svcs: InoTask

204 LogWatNT.exe Svcs: LogWatch

436 SVCHOST.EXE Svcs: stisvc

252 wanmpsvc.exe Svcs: WANMiniportService

832 MsPMSPSv.exe Svcs: WMDM PMSP Service

2116 IEXPLORE.EXE Title: SWI Forums -> Many popups and about blank home page - Microsoft Internet Explorer

2908 CIDAEMON.EXE

2928 CIDAEMON.EXE

3020 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

3060 NTVDM.EXE

3104 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7A9A99-1D29-4991-8D1B-1B21DD07428F}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access D3C4S521\don ladas

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access D3C4S521\don ladas

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»Group/user settings:

 

 

User: [D3C4S521\don ladas], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group D3C4S521\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

D3C4S521\don ladas:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 814 06-06-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Sun Jun 06 22:39:13 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-06-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-06-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Share this post


Link to post
Share on other sites

hmm... Not good!

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error

\\?\C:\WINDOWS\System32\CTLLPOJ.DLL +++ File read error

 

 

I see you are running XP 'home' edition.

 

There are various issues (and files) that affect it differently.

 

The file listed above is completely hidden!

You will only be able to find it while the

data in the 'AppInit_DLLs' value is gone...

 

Repeat the same steps in my previous post once again,

but in Safe mode!

Confirm them by openning regedit after restart, and

looking if the AppInit_DLLs value exists!

(you will not see any data listed in it...)

 

If it's loaded again after restart, follow these steps instead:

 

*In regedit open the same 'Windows' key.

(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)

 

*RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

**Restart computer!!!

(That key won't be loaded)

 

*After restart, Find:

C:\WINDOWS\System32\*CTLLPOJ.DLL

as it should be visible, and

use the folder's top menu

option : "Edit-> Move to folder..."

*Browse to and select: C:\junkxxx folder

'ok' it.

 

*Open regedit to the same key:

*Rename the Windows1 back to it's

original name, Windows

 

*RightClick on 'AppInit_Dlls' Value(only)

on the right pane and delete.

 

*Re-run 'Find-All.cmd and post the log.

Share this post


Link to post
Share on other sites

OK I have the CTLLPOJ.DLL moved to the C:\junkxxx folder. Here are my new logs. Thanks again.

 

 

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.2 -6/07 @@@***==--

 

 

Mon Jun 07 18:21:47 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (9029:3B15) - FS:NTFS clusters:4k

Total: 119 957 479 424 [112G] - Free: 114 819 887 104 [107G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe

 

 

»»PC uptime:

6:21pm up 0 days, 0:09

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

4 System

396 SMSS.EXE

444 CSRSS.EXE Title:

468 WINLOGON.EXE Title: NetDDE Agent

512 SERVICES.EXE Svcs: Eventlog,PlugPlay

524 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

704 SVCHOST.EXE Svcs: RpcSs

760 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S

NS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl

admgr,w32tim

936 SVCHOST.EXE Svcs: Dnscache

980 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1108 explorer.exe Title: Program Manager

1192 LEXBCES.EXE Svcs: LexBceS

1228 SPOOLSV.EXE Svcs: Spooler

1264 LEXPPS.EXE Title:

1372 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

1408 Directcd.exe Title: DirectCD

1416 Support.exe Title: Support

1424 Realmon.exe Title: Realmon

1440 CsRemnd.exe

1468 aoltray.exe Title:

1532 NotifyAlert.exe Title: WindowsFormsParkingWindow

1720 diagent.exe Title: Creative Diagnostics Agent

1844 ALG.EXE Svcs: ALG

1856 acsd.exe Svcs: AOL ACS

1880 CISVC.EXE Svcs: CiSvc

1920 CTsvcCDA.EXE Svcs: Creative Service for CDROM Access

1952 InoRpc.exe Svcs: InoRPC

1976 InoRT.exe Svcs: InoRT

1988 InoTask.exe Svcs: InoTask

212 LogWatNT.exe Svcs: LogWatch

356 SVCHOST.EXE Svcs: stisvc

420 wanmpsvc.exe Svcs: WANMiniportService

864 MsPMSPSv.exe Svcs: WMDM PMSP Service

3240 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

3276 NTVDM.EXE

3348 CIDAEMON.EXE

3376 CIDAEMON.EXE Title: OleMainThreadWndName

3424 TASKMGR.EXE Title: Windows Task Manager

3468 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7A9A99-1D29-4991-8D1B-1B21DD07428F}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{509D037B-BB78-4C38-BD9A-9478A071B3E0}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access D3C4S521\Administrator

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access D3C4S521\Administrator

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

 

»»Winlogon\notify:

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

 

»»Group/user settings:

 

 

User: [D3C4S521\don ladas], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group D3C4S521\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

D3C4S521\don ladas:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file:

R C:\WINDOWS\System32\Drivers\etc\hosts

-r--- - - - - - 814 06-06-2004 hosts

------

»»Rehash:

 

»Strings found:

 

Mon Jun 07 18:22:07 2004 -- ++Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-07-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-07-2004 windows.txt

A C:\FindallwinBackup.hiv

--a-- - - - - - 8,192 06-06-2004 findallwinbackup.hiv

A C:\findallappinit.reg

--a-- - - - - - 632 06-06-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Share this post


Link to post
Share on other sites

Where is the file, exactly? :scratchhead:

 

OK I have the CTLLPOJ.DLL

moved to the C:\junkxxx folder.

-Here are my new logs

 

------------------------------------------------

 

 

 

ERROR: There are no more files.

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

0 bytes, 0 ms = 0.00 MB/sec

 

 

 

Can you go to: C:\junkxxx and specify it's

current contents?

 

If you deleted the file, specify

as well , as some of the next steps will not work properly!

Share this post


Link to post
Share on other sites

The C:\junkxxx folder has nothing in it. I also went into safe mode and the folder has nothing in it. I followed your last set of instructions and have deleted nothing.

 

After restart, Find:

C:\WINDOWS\System32\*CTLLPOJ.DLL

as it should be visible, and

use the folder's top menu

option : "Edit-> Move to folder..."

*Browse to and select: C:\junkxxx folder

'ok' it.

Share this post


Link to post
Share on other sites

I found where the CTLLPOJ.DLL file went my virus protection deleted it. It was marked as win32/agent.j.downloader.trojan.

Share this post


Link to post
Share on other sites

That's what I thought! :D

 

You can proceed with the last set of steps now!

---Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junkxxx\*.dll moved file

*Create zipped copy in the same folder: "junkxxx.zip"

*Open your email client with given addresses for submission!

 

--Drag the 'junkxxx.zip' and submit the

attachment to the specified addresses, ! , thanks

 

When done, Delete the "junkxxx.zip" and the 'Find-All folder(s)!

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, you need to clear all the elements the hijacker

downloaded!

Run these tools (whether used before or not!), as

they should work properly now.

have them fix all problems:

*Ad-Aware 6 Build 181:

http://www.lavasoftusa.com/software/adaware/

 

*Latest reference file :

http://www.lavasoftsupport.com/index.php?showtopic=28310

 

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

http://www.lavahelp.com/howto/fullscan/index.html

 

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

*Ignore the submission part! Obviously there is nothing to submit!

Feel free to post another hijackthis log when done! ;)

(well done so far!)

Share this post


Link to post
Share on other sites

freeatlast here is my HijackThis log file. Thanks for all the help so far. This place is the best. Do you see any thing else I should worried about. Again thanks for the help.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:17:02 PM, on 6/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINDOWS\LogWatNT.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\Program Files\CasinoOnline\CsRemnd.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

Share this post


Link to post
Share on other sites

Fix these:

 

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

*O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

 

Reboot and delete the Program Files\"CasinoOnline" Subfolder!

 

All's well, otherwise! :D

Share this post


Link to post
Share on other sites

freeatlast just wanted to say thanks for helping remove the spy ware. You and this forum are great. It’s nice to have a place to get help with this pain in the butt spy ware. Thanks again.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0